Provisions for the processing of personal data on behalf of a controller pursuant to Art. 28 DS-GVO

The following provisions shall apply in the event that Neo Commerce GmbH, Max-Bill-Str. 8, 80807 Munich, Germany (hereinafter "Contractor") is commissioned by the Client to provide contractor services in the area of Guided Selling/Digital Product Consulting as a software solution (SaaS) on the basis of the Cloud Software (SaaS) user agreement designed as a link to the General Terms and Conditions, hereinafter "Main Agreement".Part of the performance of the Main Contract is the processing of personal data within the meaning of the General Data Protection Regulation ("GDPR"). In order to meet the requirements of the DS-GVO for such constellations, the following provisions shall apply and conclusively regulate the processing of personal data by the Contractor on behalf of the Customer.


Subject matter/scope of the order processing


The cooperation of the Parties in accordance with the Main Agreement entails that the Contractor obtains access to personal data of the Client (hereinafter "Client Data") and processes such data exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 4 No. 8 and Art. 28 DS-GVO.


The processing of the Client Data by the Contractor shall be carried out exclusively in the manner specified in Appendix 1 and to the extent and for the purpose specified therein. The group of persons affected by the data processing is shown in Appendix 2 to this contract. The duration of the processing corresponds to the term of the main contract.


The client’s authority to issue directives


The Contractor shall process the Client Data only within the scope of the commission and exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 of the German Data Protection Regulation (Order Processing). In this respect, the Client shall have the sole right to issue instructions on the type, scope and method of the processing activities (hereinafter also referred to as "right to issue instructions").


Instructions shall generally be issued by the Client in writing; instructions issued verbally shall be confirmed by the Client in writing. The persons authorized to give and receive instructions shall be determined upon request. In the event of a change or long-term prevention of the persons authorized to receive instructions, the successor or representative shall be named to the other party in text form without delay. The Contractor shall notify the Customer of a change in the person authorized to receive instructions in good time. Until receipt of such notification by the Customer, the designated persons shall continue to be deemed authorized to receive.


If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.


Protective measures of the contractor


The Contractor is obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Client's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.


Furthermore, the Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter referred to as "Employees") to maintain confidentiality in writing (confidentiality obligation, Art. 28(3)(b) DS-GVO) and shall ensure compliance with this obligation with due care.


The Contractor shall design its internal organization in such a way that it meets the special requirements of data protection. He undertakes to take all appropriate technical and organizational measures for the adequate protection of the Client Data pursuant to Art. 32 DS-GVO and to maintain these measures for the duration of the processing of the Client Data.


The Contractor reserves the right to change the technical and organizational measures taken, while ensuring that the contractually agreed level of protection is not undercut.


At the request of the Customer, the Contractor shall provide the Customer with suitable evidence of compliance with technical and organizational measures.


Information and support obligations of the contractor


In the event of significant disruptions, suspicion of significant data protection violations or security-relevant incidents in the processing of the Client Data by the Contractor, by persons employed by it within the scope of the contract or by third parties, the Contractor shall inform the Customer in writing or electronically without undue delay, but no later than within thirty-six (36) hours. The same shall apply to audits of the Contractor by the data protection supervisory authority. The notifications pursuant to Section 4.1 Sentence 1 shall in each case contain at least the information specified in Article 33 (3) of the GDPR.


In the event of Section 4.1, the Contractor shall support the Client in the fulfillment of its clarification, remedial and information measures in this regard to the extent reasonable. In particular, the Contractor shall immediately implement the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects, inform the Customer thereof and request the Client to issue further instructions.


The Contractor undertakes to provide the Client, upon the latter's written request and within a reasonable period of time, with such information and evidence as may be required to carry out an inspection pursuant to Section 7.1 of this Agreement.


Other obligations of the contractor


The Contractor confirms that it has appointed a contact person for data protection. The contact details of the contact person for data protection are Dana Nedamaldeen,, +49 588 05 57 20. The Client shall be notified in writing of any change in the person of the contact person for data protection.


Subcontractor relationships


Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services which the Contractor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor shall be obligated to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Client’s data also in the case of outsourced ancillary services.


The Client agrees to the engagement of the following subcontractors under the condition of a contractual agreement in accordance with Art. 28 Para. 2-4 DS-GVO: https: //


Within the scope of its contractual obligations, the Contractor shall be authorized to establish further subcontracting relationships with subcontractors. He shall inform the Customer thereof without delay. The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and shall ensure that the Customer can also exercise its rights under this Agreement (in particular its inspection and monitoring rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard contractual clauses). Upon request, the Contractor shall provide the Customer with evidence of the conclusion of the aforementioned agreements with its subcontractors.


Control rights


The Client shall be entitled to regularly assure itself of compliance with the provisions of this Agreement. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or have the Contractor's technical and organizational measures inspected personally or by an expert third party during normal business hours and after at least one week's advance notice in consultation with the Contractor, provided that the third party is not in a competitive relationship with the Contractor.


The Client shall carry out inspections without cause no more than once a year and only to the extent necessary and shall take reasonable account of the Contractor's operating procedures. The parties shall agree on the time and type of inspection in good time.


The Client shall document the inspection result and notify the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.


Rights of affected persons


The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling the Client's obligations pursuant to Articles 12 to 22 and Articles 32 to 36 of the GDPR. The Contractor shall provide the Client with the requested information on Client Data without undue delay, but no later than within five (5) business days, unless the Client has the relevant information itself.


If the data subject asserts its rights pursuant to Articles 16 to 18 of the GDPR, the Contractor shall be obligated to correct, delete or restrict the Client Data without undue delay, at the latest within a period of fourteen (14) working days, upon instruction of the Client. The Contractor shall provide the Client with written evidence of the deletion, correction or restriction of the data upon request.


If a data subject asserts rights, such as the right to information, correction or deletion with regard to his data, directly against the Contractor, the Contractor shall forward this request to the Client without undue delay, but no later than within three (3) business days and shall await the Client's instructions.


Term and termination


The term of this agreement corresponds to the term of the main agreement. If the main contract can be terminated by ordinary notice, the provisions on ordinary notice of termination shall apply accordingly. In case of doubt, a termination of the main contract shall also be deemed a termination of this contract and a termination of this contract shall be deemed a termination of the main contract.


The Client shall be entitled to extraordinary termination of this contract for good cause at any time. Good cause shall be deemed to exist if the Contractor fails to comply with its material contractual obligations, violates provisions of the GDPR with intent or gross negligence or is unable or unwilling to carry out an instruction of the Client. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Client shall first set the Contractor a reasonable deadline of at least fifteen (15) business days within which the Contractor can remedy the violation. After fruitless expiry of this period, the Client shall then be entitled to extraordinary termination.


Deletion and return after the end of the contract


After termination of the main contract at any time upon the Client’s written request, all documents, data and data carriers provided to the Contractor shall be returned to the Client or, upon the Client's written request, deleted completely and irrevocably by the Contractor, unless a statutory retention period exists. This shall also apply to copies of the Client Data at the Contractor's premises, such as data backups, but not to documentation that serves as evidence of the proper processing of the Client Data in accordance with the order. The Contractor shall confirm the deletion to the Client in writing.




The liability of the parties is governed by the main contract.


Final provisions


Amendments and supplements to this agreement must be made in writing. This shall also apply to any waiver of this formal requirement.


In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract. Should individual provisions of this agreement prove to be invalid or unenforceable in whole or in part, or become invalid or unenforceable as a result of changes in legislation after conclusion of the agreement, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by the valid and enforceable provision that comes as close as possible to the meaning and purpose of the invalid provision.


This agreement is subject to German law. The exclusive place of jurisdiction is Munich.

Final provisions

Appendix 1 - Specification of type, scope and purpose of data processing
Appendix 2 - Description of the types of data and the categories of data subjects

Appendix 1 - Specification of type, scope and purpose of data processing

Data processing in relation to the Client

●  The Client receives personal access to the Contractor's software
●  The Contractor creates a user profile for the Client for this purpose
●  The following information of the Client is stored in this profile:
     o Admin user email address
     o Admin user password
     o First & last name of the admin user
     o Company and company address of the admin user

Data processing in relation to customers of the Client


The Contractor shall provide the Client with software that enables the Client's customer to make use of digital product consulting.


The digital consultation is conducted in a quiz-like process with the Client's customer. Following the consultation, the Client's customer receives a product recommendation.


In the course of consultation, standard browser HTTP information is processed, See Appendix 2.


At the end of the consultation, the Client's customer then has the option of having the results sent to them via e-mail.


In a form mask, the customer of the Client enters his e-mail address and can, with the consent of the privacy policy of the Client, receive the results.


For sending e-mails to the Client's customers, the Contractor shall use e-mail marketing software, listed under Section 6.2 of the GTC.


The browser data is processed to provide performance data to the Client.


The e-mail of the Client's customer is collected in order to send him the results of the consultation. With the consent of the Client’s customer, the Client may use the e-mailfor their own advertising purposes.

Appendix 2 - Description of the types of data and the categories of data subjects

The categories of data subjects affected by the processing include:

●  Website visitors of the Client
●  Employees of the Client

The subject of the processing of personal data are the following types/categories of data:

Browser HTTP information


User agent


IP address (will not be stored)




Neocom session ID to identify a consulting session/ browser session


Neocom conversation ID to identify a single consultation by Neocom


Neocom user ID to identify a user across multiple browser sessions (necessary forconversion tracking). No cookie is stored on the Neocom domain, but on the Client’s domain.

User information of the Client

●  Admin user email address
●  Admin user password
●  First & last name of the admin user
●  Company and company address of the admin user