TrustBills Marketplace GmbH, Große Elbstraße 86, 22767 Hamburg, entered in the Commercial Register of the Hamburg District Court under file number HRB 138 356
TrustBills Technologies GmbH, Große Elbstraße 86, 22767 Hamburg, entered in the Commercial Register of the Hamburg District Court under file number HRB 157 446
TrustBills Technologies GmbH
TrustBills Marketplace and TrustBills Technologies are hereinafter jointly referred to as 'Parties', and individually referred to as a 'Party'.
TrustBills Technologies GmbH enables trading in trade receivables via an Internet auction platform. The auction platform is operated by TrustBills Marketplace. TrustBills Technologies GmbH holds a 100% stake in TrustBills Marketplace. TrustBills Marketplace provides various services to participants and collects the fees paid by the participants. It supports TrustBills Technologies GmbH by providing services. TrustBills Technologies GmbH also provides TrustBills Marketplace with a (technical) infrastructure for use in return for a lump sum payment.
The Parties are a group of companies in accordance with Article 4 No. 19 EU GDPR in conjunction with the Recital 37 EU GDPR. The purposes and the means of processing personal data as well as the type of personal data are regularly jointly determined in accordance with Article 26 EU GDPR
The purpose and means of the data processing is the operation of a joint online auction platform for the sale of trade receivables and the use of data for joint participant management (including master data, sales, billing).
Which party fulfils which obligation under EU GDPR, in particular with regard to the exercise of the rights of the data subject and the information obligations in accordance with Articles 13 and 14 EU GDPR, is specified below. The determination of an original data controller is based on and duly reflects the controller’s actual function and relationship with the data subject. In the event that a determination should be considered insufficient, the Parties agree on TrustBills Marketplace GmbH as the responsible data controller.
The duties of information in accordance with Articles 13 and 14 EU GDPR shall be handled by TrustBills Marketplace GmbH.
The processing of requests for information under Article 15 EU GDPR shall be handled by TrustBills Marketplace GmbH.
The processing of correction requests under Article 16 EU GDPR shall be handled by TrustBills Marketplace GmbH.
The processing of deletion requests or processing restrictions in accordance with Article 17 or 18 EU GDPR and the notification of the obligation to delete in accordance with Article 19 EU GDPR shall be handled by TrustBills Marketplace GmbH.
The processing of data transferability requests according to Article 20 EU GDPR shall be handled by TrustBills Marketplace GmbH.
The processing of objections in accordance with Article 21 GDPR shall be handled by TrustBills Marketplace GmbH.
The technical and organisational measures required under Article 24 (1) clause 1 in connection with Article 32, 35, 36 (3) EU GDPR after a risk assessment and, if necessary, data protection impact assessment, as well as the consultation of a supervisory authority or the transmission of the necessary information, shall be handled by TrustBills Technologies GmbH.
The documentation of the selection of technical and organisational measures as well as the review and updating of the measures in accordance with Article 24 (1) clause 2 EU GDPR required by Article 24 (1) clause 1 EU GDPR shall be carried out by TrustBills Technologies GmbH.
The involvement of order data processors or subcontracting order processors within the meaning of Article 28 EU GPDR and its review is the responsibility of TrustBills Technologies GmbH.
The Parties agree on the uniform appointment by TrustBills Technologies GmbH of a data protection officer for the group of companies within the meaning of Article 37 (2) EU GDPR as soon as the Parties are legally required to appoint one. As soon as he/she has been appointed, the data protection officer shall act as a point of contact for the data subjects within the meaning of Article 26 (1) clause 3 EU GDPR and coordinates the maintenance of the list of processing activities under Article 30 EU GDPR.
Under Article 26 (2) clause 2 EU GDPR, data subjects shall be provided with the essential details of this agreement on joint data controllers. TrustBills Technologies GmbH shall inform its employees by means of internal circulars. External data subjects shall be provided with the information in a general form by TrustBills Marketplace GmbH under the framework of the website.
TrustBills Technologies GmbH is responsible for an orderly process in the event of reportable data breaches in accordance with Articles 33 and 34 EU GDPR for the group of companies.
The data subject is free to assert his/her rights with and against any responsible Party. The Party sued may forward the data subject's request for processing to the other Party or to the data protection officer, provided that the latter is the lead data controller and the data subject does not suffer any disadvantage as a result of the forwarding.
Joint responsibility alone does not give the Parties a basis for the processing and transmission of personal data. This requires a separate justification under Article 6 EU GDPR, which, unless a different determination is made in individual cases, lies in the legitimate interests of the Parties under Article 6 (1) clause 1 lit. f in conjunction with Recital 48 GDPR, to transmit personal data within a group of companies for internal administrative purposes, including the processing of personal data of customers and employees. A transfer to a third country is not envisaged.
The parties shall jointly process the following categories of data:
The personal data collected shall be transmitted to our own servers in encrypted form and stored there. The data is only stored there. The data shall not be passed on to third parties.
Each Party shall inform the other Party as soon as it becomes aware of a data breach or as soon as a data subject asserts his rights.
It is agreed that the security guidelines for which TrustBills Technologies GmbH is responsible shall be adopted and applied by the other Party. All employees of a party are obligated to this and shall be informed about the special protection of personal data.
This agreement is concluded for an indefinite period. It can be terminated by either Party with 3 months' notice to the end of the month. This shall not affect the right to terminate the contract for just cause. Any notice of termination must be issued in writing to become effective.
The place of performance for the mutual obligations is Hamburg. The law of the Federal Republic of Germany shall apply. The exclusive legal venue for all disputes arising in connection with this contract, including disputes based on tort, is Hamburg.
There are no side agreements to this contract. Changes or additions must be made in writing to be legally effective. This also applies to the waiver of the written form requirement.
Should any provision of this contract be invalid, this shall not affect the validity of the remaining provisions of this contract. This also applies if the contract contains a loophole. In place of an invalid provision or loophole, the Parties shall agree an appropriate substitute provision which comes closest to what the Parties would have wanted if they had considered this aspect.
Hamburg, 01/8/2019 sgd. Joerg Hoerster & Dr. Johannes Ulbricht
TrustBills Technologies GmbH
Hamburg, 01/8/2019 sgd. Joerg Hoerster & Dr. Johannes Ulbricht
TrustBills Marketplace GmbH
|Obligations according to EU GDPR||Data controller|
|Determination of the type of personal data||TrustBills Technologies GmbH & TrustBills Marketplace|
|Determination of the purpose and means of data processing||TrustBills Technologies GmbH & TrustBills Marketplace|
|Article 26 (1) EU GDPR – Determination of responsibility with regard to the individual obligations in an agreement||TrustBills Technologies GmbH & TrustBills Marketplace|
|Article 26 (1) EU GDPR – Indication of a point of contact for the data subjects||TrustBills Technologies GmbH|
|Article 26 (2) EU GDPR – Making the essence of the agreement available||TrustBills Technologies GmbH & TrustBills Marketplace|
|Article 13 EU GDPR – Duty to inform when collecting personal data from the data subject||TrustBills Marketplace|
|Article 14 EU GDPR – Duty to inform when collecting personal data not collected from the data subject||TrustBills Marketplace|
|Article 15 EU GDPR – Processing of the data subject's request for information||TrustBills Marketplace|
|Article 16 EU GDPR – Processing of the data subject's request for correction||TrustBills Marketplace|
|Article 17 or Article 18 EU GDPR, Article 19 EU GDPR – Processing of requests for deletion or requests to restrict processing and notification of an obligation to delete||TrustBills Marketplace|
|Article 20 EU GDPR – Processing of requests for transmission (data portability)||TrustBills Marketplace|
|Article 21 EU GDPR – Processing of objections||TrustBills Marketplace|
|Article 24 (1) in conjunction with Article 32, Article 35, Article 36 (3) EU GDPR – Determination of technical and organisational measures after risk assessment and data protection impact assessment if necessary; consultation of the supervisory authority/transmission of the necessary information||TrustBills Technologies GmbH|
|Article 24 (1) EU GDPR – Documentation of the selection of the technical and organisational Measures||TrustBills Technologies GmbH|
|Article 24 (1) EU GDPR – Review and updating of technical and organisational Measures||TrustBills Technologies GmbH|
|Article 28 EU GDPR – Involvement and verification of order processors and subcontracting order processors||TrustBills Technologies GmbH|
|Article 30 EU GDPR – Keeping the list of processing activities||TrustBills Technologies GmbH|
|Article 33, 34 EU GDPR – Processes in the event of reportable data breaches||TrustBills Technologies GmbH|