By creating an account, you (hereafter referred to as "Client") electronically agree to this contract, the data processing agreement (also AVV, or in the English DPA). This agreement is permanently available for your information in your account.
This Agreement supplements the existing General Terms and Conditions for the use of the N-Centive Service (hereinafter "Service") operated by CBV-Media with registered office: Laubacher Strasse 13, 56288 Spesenroth, RLP, Germany (hereinafter "N-Centive", "we", "us ", "Contractor"). In the case of a representation of these conditions in a language other than German, note that only the original German version is legally binding.
The contractor processes personal data on behalf of the client
The subject of the order is the use of address data of the client for the creation of customer loyalty programs.
The details of the services result from the General Terms and Conditions (https://www.n-centive.com/legal/terms?lang=en), which are expressly accepted by the CLIENT when registering for N-Centive. These services are referred to here (in the following performance agreement).
The duration of this contract (term) is the duration of the service agreement. The provisions for terminating the service agreement also apply to this contract. Termination of the service agreement entitles both parties to terminate this contract.
In addition, the parties agree that prior contracts for order data processing or order processing will be terminated by mutual agreement upon conclusion of this Agreement.
The scope, nature and purpose of the data processing are limited to the use of address data for the creation of loyalty programs for the customer and the sending of emails to their participants.
The processing and use of the data takes place exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union or in another Contracting State of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only take place if the special conditions of Art. 7 GDPR are fulfilled.
The subject of the processing of personal data is customer data from the client
The persons affected by the handling of their personal data in the context of this order are customers, business contacts and interested parties of the client.
The types of data processed and the categories of data subjects are set out in Appendix 1 to this contract.
The contractor is obligated to document the technical and organizational measures required under Art. 32 GDPR before beginning the collection, processing, or use of personal data - with special consideration of the specific execution of the order - and to make this documentation available to the client upon request. The technical and organizational measures required by Art. 32 GDPR are listed in the data protection concept attached as Annex 2 for the aforementioned purpose and are part of this agreement.
The technical and organizational measures are subject to technical progress and further development; in this respect, the contractor is permitted to implement alternative adequate measures, provided that the level of safety of the specified measures is not undershot. The contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis. The customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.
The contractor shall only correct, delete or block the personal data collected, processed or used on behalf of the client. If an affected person should contact N-Centive directly for the purpose of rectifying, deleting or blocking his / her data, the contractor is obliged to forward this request to the client immediately upon receipt. Any costs incurred by this procedure shall be borne by the client.
The contractor has the following obligations pursuant to Art. 28ff GDPR:
The contractor is entitled to use subcontractors for the performance of the service agreement and / or this contract. Prerequisite is the consent of the client. The consent is considered granted when
The client may object to the involvement of a subcontractor only for good cause.
For the purposes of this regulation, subcontracts are not services that the contractor uses as an ancillary service to third parties in order to assist in the execution of the order. These include, for example, telecommunications services, maintenance and user service, cleaners, examiners or the disposal of data carriers. However, the contractor is obliged to take appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the data of the client, even in the case of externally assigned ancillary services.
The client is solely responsible for compliance with the statutory provisions on data protection, in particular for the lawfulness of the data processing by the contractor and thus "Data Controller" within the meaning of Art. 4 No. 7 GDPR.
The responsibility also and in particular concerns any obligation to keep a register under Art. 30 GDPR and the information obligations under Art. 12 - 14 GDPR.
In the case of a claim of the client by a data subject with regard to any claims under Art. 82 GDPR, § 8 (9) shall apply mutatis mutandis.
The Client informs the Contractor immediately if it detects any errors or irregularities in connection with the processing of personal data by the Contractor.
The client shall provide the contractor with the contact person for data protection issues arising in the context of the contract.
(1) The contractor may process data of affected persons only within the framework of the order and the instructions of the client, unless there is an exceptional case of Art. 28 para. 3 a) GDPR.
In the context of the order description made in this agreement, the client reserves the right to give full instructions regarding the type, scope and procedure of the data processing, which he can substantiate with individual instructions. Changes to the processing object and procedural changes must be agreed and documented together. The contractor may only provide information to third parties or the person concerned after prior written consent by the client.
Instructions that are not provided for in the contract are treated as a request for change of performance. If the client issues individual instructions with regard to the handling of personal data that go beyond the contractually agreed scope of services, the costs thereby incurred shall be borne by the client.
Verbal instructions will be confirmed by the client immediately in writing or by e-mail (in text form). The contractor does not use the data for any other purpose and in particular is not authorized to pass them on to third parties. Copies and duplicates are not created without the client's knowledge. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required for compliance with statutory retention requirements.
The contractor is obliged to use the provided personal data exclusively for the contractually agreed service unless there is an exceptional case within the meaning of Article 28 paragraph 3 a) GDPR. The contractor informs the client immediately if he believes that a directive violates applicable laws. The contractor may suspend the implementation of the instruction until it has been confirmed or modified by the client. The contractor does not have to carry out instructions which are obviously contrary to data protection.
(2) The Contractor shall, as far as agreed, assist the Client within the scope of its possibilities in the fulfillment of the inquiries and claims of data subjects in accordance with Chapter III of the GDPR and in compliance with the obligations specified in Art. 33-36 GDPR. For the provision of these support services, we charge a fee of 75 euros per started hour.
(3) The Contractor warrants that the employees involved in the processing of the data of the Client are prohibited from processing the data outside the order. Furthermore, the contractor guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory confidentiality obligation. The confidentiality / confidentiality obligation will continue even after completion of the assignment.
(4) The contractor shall inform the client immediately if he becomes aware of violations of the protection of personal data of the client.
The contractor shall take the necessary measures to secure the data and to reduce the possible adverse consequences of the persons concerned and shall immediately discuss this with the client.
(5) The contractor shall inform the client of the contact person for data protection issues arising under the contract.
(6) The contractor guarantees to fulfill its obligations under Article 32 (1) (d) GDPR to establish a procedure for regular review of the effectiveness of the technical and organizational measures to ensure the safety of the processing.
(7) The contractor rectifies or deletes the contractual data if the client instructs this and this is included in the scope of the directive. If a data protection conforming deletion or a corresponding restriction of the data processing is not possible, the contractor takes over the data protection compliant destruction of data carriers and other materials on the basis of an individual commissioning by the client or returns these data carriers to the client, if not already agreed in the contract. For the provision of these support services, we charge a fee of 75 euros per started hour
In special, to be determined by the client cases, there is a storage or transfer. Remuneration and protective measures must be agreed separately, unless already agreed in the contract. For the provision of these protective measures, we charge a fee of 75 euros per started hour. The cost of storing business data depends on the size of the data and the length of retention. As far as the storage is desired, an individual contractual regulation must be made.
(8) Data, disks as well as all other materials shall either be issued or deleted after the end of the order at the request of the client.
If additional costs arise due to deviating specifications in the case of publication or deletion of the data, this shall be borne by the customer.
(9) In the case of a utilization of the client by an affected person with regard to any claims under Art. 82 GDPR, the contractor undertakes to assist the client in defending the claim to the best of his ability. For the provision of these support services, we charge a fee of 75 euros per started hour.
If an affected person with claims for rectification, deletion or information to the contractor, the contractor will refer the data subject to the client, if an assignment to the client according to the data subject is possible. The contractor will forward the claim of the data subject immediately to the client. The contractor supports the client as far as possible within the scope of his possibilities. The contractor is not liable if the request of the data subject is not answered by the client, not correctly or not on time.
After conclusion of the contractual work or earlier upon request by the client - at the latest upon termination of the service agreement - the contractor shall hand over to the client all documents, processing and utilization results as well as data stocks which are in the context of the contract relationship or to be destroyed in accordance with data protection after prior consent. The same applies to test and scrap material. The log of the deletion must be submitted on request.
Documentations serving as evidence of orderly and proper data processing shall be retained by the contractor in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the client for discharge at the end of the contract.
(1) The contractor shall prove to the client the compliance with the obligations laid down in this contract by suitable means.
(2) If, in individual cases, inspections by the client or an inspector commissioned by the latter are required, they shall be carried out during the normal business hours without disruption to the operation after registration, taking into account a reasonable lead time. The contractor may make these dependent on prior notification with reasonable lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures that have been set up. If the examiner commissioned by the client is in a competitive relationship with the contractor, the contractor has a right of appeal against this.
For assistance in carrying out an inspection, the contractor may request a fee of 600 euros per working day. The expenditure of an inspection is always limited to one day per calendar year for the contractor.
(3) If a data protection supervisory authority or another sovereign supervisory authority of the client carries out an inspection, paragraph 2 shall apply accordingly. The signing of a confidentiality obligation is not required if this supervisory authority is subject to a professional or legal confidentiality, in which a violation under the Criminal Code is punishable.
The contractor points out that no advertising may be sent by the client in violation of statutory provisions. The clients are responsible for the admissibility of data collection, processing and use. This also applies to the obligation of the client under the law against unfair competition (in particular to obtain a consent under § 7 UWG) and the telecommunications secrecy gem. Telecommunications Act (§ 88 TKG).
(1) Should the data of the client be endangered by seizure or confiscation, by a bankruptcy or settlement procedure or by other events or measures of third parties, the contractor shall inform the client without delay. The contractor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data are exclusively with the client as the "controller" within the meaning of the General Data Protection Regulation.
(2) Changes and amendments to this standardized agreement and all its components - including any representations by the contractor - require a separate, written agreement and the explicit mention that this is an amendment or addition to this agreement. This also applies to the waiver of this form requirement.
An agreement in electronic format (written form) shall also be recognized by the Parties as effective.
(3) Should individual parts of this contract be ineffective, this does not affect the validity of the rest of the contract. Instead of the ineffective parts, the corresponding statutory regulation applies.
(4) German law applies.
(5) Jurisdiction is the headquarters of the contractor
Client and contractor are liable to data subjects in accordance with the provisions of Art. 82 GDPR.
Personal data is processed by N-Centive to enable the use of the services offered by N-Centive by the customer (client)
Processing is both automated and non-automated. The processing takes place through the provided IT systems of N-Centive and includes the following processing activities: collecting, saving, adaptation, modification, disclosure, the creation of backup copies, as well as further processing as required to ensure the service.
There is no provision for direct communication with data subjects regarding the processing of data by N-Centive.
The role of N-Centive is to provide the necessary services and tools for their customers to ensure the processing of personal information. N-Centive has no influence on how and to what extent personal data is processed by the customer within the service, does not determine the motivation and legality of this processing, nor does it monitor it.
The customer commissions N-Centive to process personal data of the following categories
The service of N-Centive is basically not designed to process special categories according to Article 9 GDPR, or Article 10 GDPR. The final decision on the extent of the data processed by N-Centive lies with the customer. By using the service to process data of this kind, the customer assures that the security measures of N-Centive are in his opinion sufficient to process this type of data.
The customer commissions N-Centive to process the following categories of data
Contacts: email address, first name, last name, customer number
Vicarious agents: email address, first name, last name
The purpose of the data protection measures taken by N-Centive is to ensure the availability of data, integrity, confidentiality, non-interchangeability through purpose, transparency through auditability, and anchorability.
Measures of pseudonymisation and encryption of personal data are carried out, which ensure a current level of protection. Likewise, our data security measures aim at a permanent, high load capacity of our systems and services with regard to the associated data processing. We ensure the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident. We also use a process to periodically review, evaluate and evaluate the effectiveness of the technical and organizational measures to ensure the safety of the processing. In addition, the controller and the processor take steps to ensure that individuals under their control who have access to personal data process them only at the direction of the controller, unless they are under the law of the Union or the Member States for processing ,
The business processes of N-Centive are based on the specifications of Art. 32 of the General Data Protection Regulation (GDPR).
The measures taken in the Company ensure that unauthorized persons can not influence such data processing systems on which personal data are processed or stored.
The Contractor warrants to the Client that unauthorized persons will be denied access to the data processing systems by means of the following measures with which personal data will be processed or secured:
The contractor further ensures that unauthorized persons are prevented from using the data processing systems by:
The confidentiality and integrity measures taken in the Company ensure that the persons entitled to use a data processing system can only access the data subject to their access authorization. It also ensures that personal data can not be read, copied, altered or removed without authorization during processing, use and after storage.
The business processes of N-Centive are supported by the following measures:
The measures taken within the company ensure sufficient disclosure control. Personal data is not illegally read, copied, altered or removed during the electronic transmission or during its transport or storage on data carriers without it being possible to check, establish and prevent it.
N-Centive hereby assures that no data will be passed on to third parties beyond the statutory exceptions. The measures taken to achieve this objective are listed below:
This is achieved by the following measures:
The measures taken within the company also ensure a high level of protection in the field of order control. The personal data processed in the order will only be processed in accordance with the instructions of the client. This is supported by the following measures:
The company's availability control measures ensure that personal information is protected against accidental destruction or loss.
The contractor will undertake the following actions:
In addition, the separation control measures taken within the company ensure that personal data collected for different purposes can also be processed separately.
The following measures are implemented to achieve this purpose in the business processes of N-Centive:
N-Centive uses the support of external subcontractors to provide its services. The subcontractors listed here provide various services such as hosting and server housing, customer service, troubleshooting, quality control and email delivery.
For security reasons the list of subcontractors is available per request only. Requests can be made to our Support