N-Centive Start Free Trial

Data Processing Agreement

Stand 09.12.2021 Print DE

By creating an account, you (hereafter referred to as "Client") electronically agree to this contract, the data processing agreement (also AVV, or in the English DPA). This agreement is permanently available for your information in your account.

This Agreement supplements the existing General Terms and Conditions for the use of the N-Centive Service (hereinafter "Service") operated by CBV-Media with registered office: Laubacher Strasse 13, 56288 Spesenroth, RLP, Germany (hereinafter "N-Centive", "we", "us ", "Contractor"). In the case of a representation of these conditions in a language other than German, note that only the original German version is legally binding.

1. Subject and duration of the contract

The contractor processes personal data on behalf of the client

The subject of the order is the use of address data of the client for the creation of customer loyalty programs.

The details of the services result from the General Terms and Conditions (https://www.n-centive.com/legal/terms?lang=en), which are expressly accepted by the CLIENT when registering for N-Centive. These services are referred to here (in the following performance agreement).

The duration of this contract (term) is the duration of the service agreement. The provisions for terminating the service agreement also apply to this contract. Termination of the service agreement entitles both parties to terminate this contract.

In addition, the parties agree that prior contracts for order data processing or order processing will be terminated by mutual agreement upon conclusion of this Agreement.

2. Specification of the content of the contract (scope, nature and purpose of the data processing, type of data, circle of data subjects)

The scope, nature and purpose of the data processing are limited to the use of address data for the creation of loyalty programs for the customer and the sending of emails to their participants.

The processing and use of the data takes place exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union or in another Contracting State of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only take place if the special conditions of Art. 7 GDPR are fulfilled.

The subject of the processing of personal data is customer data from the client

The persons affected by the handling of their personal data in the context of this order are customers, business contacts and interested parties of the client.

The types of data processed and the categories of data subjects are set out in Appendix 1 to this contract.

3. Technical and organizational measures, impact assessment

The contractor is obligated to document the technical and organizational measures required under Art. 32 GDPR before beginning the collection, processing, or use of personal data - with special consideration of the specific execution of the order - and to make this documentation available to the client upon request. The technical and organizational measures required by Art. 32 GDPR are listed in the data protection concept attached as Annex 2 for the aforementioned purpose and are part of this agreement.

The technical and organizational measures are subject to technical progress and further development; in this respect, the contractor is permitted to implement alternative adequate measures, provided that the level of safety of the specified measures is not undershot. The contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis. The customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.

4. Correction, deletion and blocking of data

The contractor shall only correct, delete or block the personal data collected, processed or used on behalf of the client. If an affected person should contact N-Centive directly for the purpose of rectifying, deleting or blocking his / her data, the contractor is obliged to forward this request to the client immediately upon receipt. Any costs incurred by this procedure shall be borne by the client.

5. Data protection control and information obligation

The contractor has the following obligations pursuant to Art. 28ff GDPR:

  • Written order - if required by law - a data protection officer. Its contact details will be communicated to the client on request
  • Preservation of the confidentiality of data according to Art. 29 GDPR. All persons who are authorized to access personal data of the client in accordance with the order shall be obliged to maintain the confidentiality of the data and will be instructed about the special data protection obligations resulting from this order as well as the existing instruction or purpose limitation.
  • Immediate information of the client about control actions and measures of the supervisory authority according to Art. 57 GDPR. This also applies insofar as a competent authority has determined according to Art. 83 GDPR at the contractor.
  • Notifications to the Client in all cases in which he or the persons or subcontractors employed by him have violated any provisions protecting the personal data of the Client or the provisions made in the assignment. This also applies in the case of the loss or the unlawful transmission or knowledge of personal data and in the event of serious disruption of operations, suspected infringement of personal data protection regulations or other irregularities in the handling of personal data of the client.
  • The execution of the order control by means of regular inspections by the contractor with regard to the performance or fulfillment of the contract, in particular compliance and, if necessary, adaptation of regulations and measures for carrying out the order.
6. Subcontracting

The contractor is entitled to use subcontractors for the performance of the service agreement and / or this contract. Prerequisite is the consent of the client. The consent is considered granted when

  • the identity of the subcontractor is communicated to the client in text form (Annex 3)
  • the contractual agreements with the subcontractor are designed in such a way that they comply with the data protection provisions in the contractual relationship between the client and the contractor
  • In the case of subcontracting, the Client shall be granted control and verification rights in accordance with this Agreement. This includes in particular the right of the client to obtain from the contractor on written request information about the essential content of the contract and the implementation of the data protection obligations in subcontractual relationship, if necessary by inspection of the relevant contract documents.
  • the client has not objected in writing within one week from notification.

The client may object to the involvement of a subcontractor only for good cause.

For the purposes of this regulation, subcontracts are not services that the contractor uses as an ancillary service to third parties in order to assist in the execution of the order. These include, for example, telecommunications services, maintenance and user service, cleaners, examiners or the disposal of data carriers. However, the contractor is obliged to take appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the data of the client, even in the case of externally assigned ancillary services.

7. Duties of the Client

The client is solely responsible for compliance with the statutory provisions on data protection, in particular for the lawfulness of the data processing by the contractor and thus "Data Controller" within the meaning of Art. 4 No. 7 GDPR.

The responsibility also and in particular concerns any obligation to keep a register under Art. 30 GDPR and the information obligations under Art. 12 - 14 GDPR.

In the case of a claim of the client by a data subject with regard to any claims under Art. 82 GDPR, § 8 (9) shall apply mutatis mutandis.

The Client informs the Contractor immediately if it detects any errors or irregularities in connection with the processing of personal data by the Contractor.

The client shall provide the contractor with the contact person for data protection issues arising in the context of the contract.

8. Authorization of the client / Obligations of the contractor

(1) The contractor may process data of affected persons only within the framework of the order and the instructions of the client, unless there is an exceptional case of Art. 28 para. 3 a) GDPR.

In the context of the order description made in this agreement, the client reserves the right to give full instructions regarding the type, scope and procedure of the data processing, which he can substantiate with individual instructions. Changes to the processing object and procedural changes must be agreed and documented together. The contractor may only provide information to third parties or the person concerned after prior written consent by the client.

Instructions that are not provided for in the contract are treated as a request for change of performance. If the client issues individual instructions with regard to the handling of personal data that go beyond the contractually agreed scope of services, the costs thereby incurred shall be borne by the client.

Verbal instructions will be confirmed by the client immediately in writing or by e-mail (in text form). The contractor does not use the data for any other purpose and in particular is not authorized to pass them on to third parties. Copies and duplicates are not created without the client's knowledge. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required for compliance with statutory retention requirements.

The contractor is obliged to use the provided personal data exclusively for the contractually agreed service unless there is an exceptional case within the meaning of Article 28 paragraph 3 a) GDPR. The contractor informs the client immediately if he believes that a directive violates applicable laws. The contractor may suspend the implementation of the instruction until it has been confirmed or modified by the client. The contractor does not have to carry out instructions which are obviously contrary to data protection.

(2) The Contractor shall, as far as agreed, assist the Client within the scope of its possibilities in the fulfillment of the inquiries and claims of data subjects in accordance with Chapter III of the GDPR and in compliance with the obligations specified in Art. 33-36 GDPR. For the provision of these support services, we charge a fee of 75 euros per started hour.

(3) The Contractor warrants that the employees involved in the processing of the data of the Client are prohibited from processing the data outside the order. Furthermore, the contractor guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory confidentiality obligation. The confidentiality / confidentiality obligation will continue even after completion of the assignment.

(4) The contractor shall inform the client immediately if he becomes aware of violations of the protection of personal data of the client.

The contractor shall take the necessary measures to secure the data and to reduce the possible adverse consequences of the persons concerned and shall immediately discuss this with the client.

(5) The contractor shall inform the client of the contact person for data protection issues arising under the contract.

(6) The contractor guarantees to fulfill its obligations under Article 32 (1) (d) GDPR to establish a procedure for regular review of the effectiveness of the technical and organizational measures to ensure the safety of the processing.

(7) The contractor rectifies or deletes the contractual data if the client instructs this and this is included in the scope of the directive. If a data protection conforming deletion or a corresponding restriction of the data processing is not possible, the contractor takes over the data protection compliant destruction of data carriers and other materials on the basis of an individual commissioning by the client or returns these data carriers to the client, if not already agreed in the contract. For the provision of these support services, we charge a fee of 75 euros per started hour

In special, to be determined by the client cases, there is a storage or transfer. Remuneration and protective measures must be agreed separately, unless already agreed in the contract. For the provision of these protective measures, we charge a fee of 75 euros per started hour. The cost of storing business data depends on the size of the data and the length of retention. As far as the storage is desired, an individual contractual regulation must be made.

(8) Data, disks as well as all other materials shall either be issued or deleted after the end of the order at the request of the client.

If additional costs arise due to deviating specifications in the case of publication or deletion of the data, this shall be borne by the customer.

(9) In the case of a utilization of the client by an affected person with regard to any claims under Art. 82 GDPR, the contractor undertakes to assist the client in defending the claim to the best of his ability. For the provision of these support services, we charge a fee of 75 euros per started hour.

9. Requests of data subjects

If an affected person with claims for rectification, deletion or information to the contractor, the contractor will refer the data subject to the client, if an assignment to the client according to the data subject is possible. The contractor will forward the claim of the data subject immediately to the client. The contractor supports the client as far as possible within the scope of his possibilities. The contractor is not liable if the request of the data subject is not answered by the client, not correctly or not on time.

10. Deletion of personal data after completion of the underlying order

After conclusion of the contractual work or earlier upon request by the client - at the latest upon termination of the service agreement - the contractor shall hand over to the client all documents, processing and utilization results as well as data stocks which are in the context of the contract relationship or to be destroyed in accordance with data protection after prior consent. The same applies to test and scrap material. The log of the deletion must be submitted on request.

Documentations serving as evidence of orderly and proper data processing shall be retained by the contractor in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the client for discharge at the end of the contract.

11. Detection options

(1) The contractor shall prove to the client the compliance with the obligations laid down in this contract by suitable means.

(2) If, in individual cases, inspections by the client or an inspector commissioned by the latter are required, they shall be carried out during the normal business hours without disruption to the operation after registration, taking into account a reasonable lead time. The contractor may make these dependent on prior notification with reasonable lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures that have been set up. If the examiner commissioned by the client is in a competitive relationship with the contractor, the contractor has a right of appeal against this.

For assistance in carrying out an inspection, the contractor may request a fee of 600 euros per working day. The expenditure of an inspection is always limited to one day per calendar year for the contractor.

(3) If a data protection supervisory authority or another sovereign supervisory authority of the client carries out an inspection, paragraph 2 shall apply accordingly. The signing of a confidentiality obligation is not required if this supervisory authority is subject to a professional or legal confidentiality, in which a violation under the Criminal Code is punishable.

12. Reference to legally compliant behavior

The contractor points out that no advertising may be sent by the client in violation of statutory provisions. The clients are responsible for the admissibility of data collection, processing and use. This also applies to the obligation of the client under the law against unfair competition (in particular to obtain a consent under § 7 UWG) and the telecommunications secrecy gem. Telecommunications Act (§ 88 TKG).

13. Information obligations, written form clause, choice of law

(1) Should the data of the client be endangered by seizure or confiscation, by a bankruptcy or settlement procedure or by other events or measures of third parties, the contractor shall inform the client without delay. The contractor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data are exclusively with the client as the "controller" within the meaning of the General Data Protection Regulation.

(2) Changes and amendments to this standardized agreement and all its components - including any representations by the contractor - require a separate, written agreement and the explicit mention that this is an amendment or addition to this agreement. This also applies to the waiver of this form requirement.

An agreement in electronic format (written form) shall also be recognized by the Parties as effective.

(3) Should individual parts of this contract be ineffective, this does not affect the validity of the rest of the contract. Instead of the ineffective parts, the corresponding statutory regulation applies.

(4) German law applies.

(5) Jurisdiction is the headquarters of the contractor

14. Liability and damages

Client and contractor are liable to data subjects in accordance with the provisions of Art. 82 GDPR.

Annex 1

Explanatory notes on the processing of personal data

1. Purpose of the processing of personal data

Personal data is processed by N-Centive to enable the use of the services offered by N-Centive by the customer (client)

2. Type of processing and processing activities

Processing is both automated and non-automated. The processing takes place through the provided IT systems of N-Centive and includes the following processing activities: collecting, saving, adaptation, modification, disclosure, the creation of backup copies, as well as further processing as required to ensure the service.

There is no provision for direct communication with data subjects regarding the processing of data by N-Centive.

The role of N-Centive is to provide the necessary services and tools for their customers to ensure the processing of personal information. N-Centive has no influence on how and to what extent personal data is processed by the customer within the service, does not determine the motivation and legality of this processing, nor does it monitor it.

3. Categories of data

The customer commissions N-Centive to process personal data of the following categories

  • Contacts: Contains all persons whose personal data are stored in the contact list of the customer or to whom the customer sends communication via the service. These can be customers, prospects, employees, business partners and customers of business partners
  • Persons authorized by the customer to use the account (vicarious agents)

The service of N-Centive is basically not designed to process special categories according to Article 9 GDPR, or Article 10 GDPR. The final decision on the extent of the data processed by N-Centive lies with the customer. By using the service to process data of this kind, the customer assures that the security measures of N-Centive are in his opinion sufficient to process this type of data.

4. Categories of personal data

The customer commissions N-Centive to process the following categories of data

Contacts: email address, first name, last name, customer number

Vicarious agents: email address, first name, last name

Annex 2

Data security concept (measures for data protection control according to Art. 32 GDPR)

The purpose of the data protection measures taken by N-Centive is to ensure the availability of data, integrity, confidentiality, non-interchangeability through purpose, transparency through auditability, and anchorability.

Measures of pseudonymisation and encryption of personal data are carried out, which ensure a current level of protection. Likewise, our data security measures aim at a permanent, high load capacity of our systems and services with regard to the associated data processing. We ensure the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident. We also use a process to periodically review, evaluate and evaluate the effectiveness of the technical and organizational measures to ensure the safety of the processing. In addition, the controller and the processor take steps to ensure that individuals under their control who have access to personal data process them only at the direction of the controller, unless they are under the law of the Union or the Member States for processing ,

The business processes of N-Centive are based on the specifications of Art. 32 of the General Data Protection Regulation (GDPR).

1. Protection against unauthorized knowledge acquisition of employee and customer data as well as other sensitive personal data

The measures taken in the Company ensure that unauthorized persons can not influence such data processing systems on which personal data are processed or stored.

The Contractor warrants to the Client that unauthorized persons will be denied access to the data processing systems by means of the following measures with which personal data will be processed or secured:

  • Access to the office space only by or in the company of authorized persons
  • Central access control for office space (key concept)
  • Fire alarm system
  • Storage of confidential documents only under lock and key in lockable, massive cabinets.

The contractor further ensures that unauthorized persons are prevented from using the data processing systems by:

  • Password protection: passwords with min. 8 characters incl. Two special characters. Passwords are changed every 90 days.
  • personal and individual user log-in when logging on to the system or corporate network
  • one user master record per user
  • IP-limited access to servers
  • Authorization concept for digital access options

The confidentiality and integrity measures taken in the Company ensure that the persons entitled to use a data processing system can only access the data subject to their access authorization. It also ensures that personal data can not be read, copied, altered or removed without authorization during processing, use and after storage.

The business processes of N-Centive are supported by the following measures:

  • differentiated and task-related authorizations, profiles
  • regular viewing of log files
  • Commitment of all employees to data protection secrecy and telecommunications secrecy
  • The measures taken within the company ensure sufficient disclosure control. Personal data is not illegally read, copied, altered or removed during the electronic transmission or during its transport or storage on data carriers without it being possible to check, establish and prevent it.

    N-Centive hereby assures that no data will be passed on to third parties beyond the statutory exceptions. The measures taken to achieve this objective are listed below:

    • 256-bit SSL encryption with extended validation
    • There are regulations for data destruction and deletion (deletion concept) The data integrity measures taken in the company ensure sufficient input control. It can be subsequently reviewed in N-Centive's business processes and it can be determined if and by whom personal data has been entered, changed or removed in data processing systems.

    This is achieved by the following measures:

    • Warranty through logging and logging system
    • Regulations of access rights

    The measures taken within the company also ensure a high level of protection in the field of order control. The personal data processed in the order will only be processed in accordance with the instructions of the client. This is supported by the following measures:

    • written contract for order processing acc. Art. 28 GDPR with regulations on the rights and obligations of the contractor and client
    • formalized order placement

    The company's availability control measures ensure that personal information is protected against accidental destruction or loss.

    The contractor will undertake the following actions:

    • Backup procedures
    • Emergency power supply to the subcontractor(USV)
    • Antivirus / firewall at both subcontractor and N-Centive
    • emergency plan
    • Fire alarm system

    In addition, the separation control measures taken within the company ensure that personal data collected for different purposes can also be processed separately.

    The following measures are implemented to achieve this purpose in the business processes of N-Centive:

    • It is multi-client capable software in use.
    • Development and test systems are operated exclusively with test data

    Annex 3

    Appointment of subcontractors of N-Centive

    N-Centive uses the support of external subcontractors to provide its services. The subcontractors listed here provide various services such as hosting and server housing, customer service, troubleshooting, quality control and email delivery.


    For security reasons the list of subcontractors is available per request only. Requests can be made to our Support