logo
Features
Solutions
Packages
About us
Customers
languageDe
Login

Schedule your personal web demo

By submitting your e-mail address, you agree to receive marketing communications in accordance with our privacy policy. You can unsubscribe at any time.

errorSomething went wrong here. Please reload the page or try again later.
Book a demo

Schedule your personal web demo

By submitting your e-mail address, you agree to receive marketing communications in accordance with our privacy policy. You can unsubscribe at any time.

errorSomething went wrong here. Please reload the page or try again later.
Book a demo

Conditions for Data Processing on behalf of a Controller pursuant to Article 28 GDPR

print
Print
file_save
Download PDF

Version: 22.12.2025

Conditions for Data Processing on behalf of a Controller pursuant to Article 28 GDPR

(Legally non-binding English translation of the German version)

Preamble

These data processing terms and conditions pursuant to Article 28 GDPR (hereinafter referred to as "GTC-DP") specify the data protection obligations arising from the contracts concluded between Lanes & Planes GmbH, Friedenheimer Brücke 16, 80639 Munich (hereinafter referred to as "Contractor") and an entrepreneur within the meaning of § 14 of the German Civil Code (hereinafter referred to as "Client") in accordance with § 1 of the Contractor's General Terms and Conditions (hereinafter referred to uniformly as the "Main Contract"). The GTC-DP apply to activities related to the Main Contract in which employees of the Contractor or persons commissioned by the Contractor process personal data (hereinafter referred to as "Data") on behalf of the Client.

  1. Object
  1. The description of each order, including details of the subject matter of the order, the type and purpose of the data processing, the type of data and the categories of data subjects, can be found in No. 1 of the Annex GTC-DP, which form part of these GTC-DP.
  2. The terms and definitions of the GDPR, in particular Article 4 GDPR, apply to the General Terms and Conditions.
  3. The Contractor's remuneration for his services is governed exclusively by the Main Contract.

  1. Location of Data Processing
  1. The contractually agreed processing generally takes place in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area, unless otherwise stipulated in No. 5 of the Annex GTC-DP.
  2. Before transferring processing to a third country, the Contractor shall inform the Client in writing. The Client may object to the change in writing, stating the reasons, within four weeks of receiving the information from the Contractor. If no objection is received within this period, consent to the change shall be deemed given.
  3. The transfer of processing to a third country may only take place if the specific requirements for transfers to a third country according to Art. 44 et seq. GDPR are met.

  1. Duration
  1. These GTC-DP apply from the conclusion of the Main Contract for the duration of the Main Contract. The Client's post-contractual obligations agreed upon in these GTC remain unaffected.
  2. The Client may terminate these GTC-DP without notice if the Contractor commits a serious breach of data protection regulations or the provisions of these General Terms and Conditions. In particular, failure to comply with the obligations agreed upon in these GTC-DP and derived from Article 28 of the GDPR constitutes a serious breach.

  1. Directive
  1. The Contractor processes personal data only within the scope of the instructions given by the Client. This does not apply if the Contractor is obligated to process the data under EU law or the law of the member states to which the Contractor is subject. In this case, the Contractor will inform the Client of these legal requirements before processing, unless such notification is prohibited by the relevant law due to an important public interest.
  2. Instructions that amend, revoke, or supplement the provisions set out in No. 1 of the Annex GTC-DP are only permissible if a corresponding new agreement is made in writing.
  3. Regardless of the form in which instructions are given, both the Contractor and the Client shall document each instruction from the Client in writing. These instructions must be retained for the duration of these GTC-DP and for a further three years thereafter.
  4. The Contractor shall immediately inform the Client if, in its opinion, an instruction issued by the Client violates legal regulations. In such a case, the Contractor is entitled, after giving the Client timely prior notice, to suspend execution of the instruction until the Client has amended or confirmed it. If the Contractor can demonstrate that processing according to the Client's instructions could lead to liability for the Contractor under Article 82 GDPR, the Contractor is free to suspend further processing to that extent until the liability issue has been clarified between the parties.
  5. The Contractor designates the recipients of instructions. In the event of a change or prolonged unavailability of the contact person, the successors or representatives must be communicated to the contractual partner immediately, in writing or electronically.

  1. Support Obligations of the Contractor
  1. In view of the nature of the processing, the Contractor shall take appropriate technical and organizational measures to assist the Client in fulfilling its obligation to respond to requests from data subjects pursuant to Articles 12 to 22 GDPR.
  2. Considering the nature of the processing and the information available to him, the Contractor supports the controller in complying with his obligations under Articles 32 to 36 GDPR. Specifically, this includes ensuring the security of the processing, reporting breaches to the supervisory authority, notifying data subjects of a breach, conducting data protection impact assessments, and consulting the competent supervisory authority.
  3. If a data subject or a data protection supervisory authority contacts the Contractor directly in connection with the personal data processed under this agreement, the Contractor shall inform the Client immediately and coordinate the further steps with him.

  1. Client's Rights of Inspection
  1. Upon request, the Contractor shall provide the Client with all necessary information to demonstrate compliance with the obligations stipulated in these GTC-DP and Article 28 of the GDPR. In particular, the Contractor shall provide the Client with information about the stored data and the data processing programs.
  2. The Client or third parties commissioned by the Client are entitled, after prior timely consultation, to verify compliance with the obligations arising from these GTC-DP and Article 28 of the GDPR at the Contractor's premises during normal business hours, either personally or through a qualified third party bound by confidentiality, provided that the third party is not in a competitive relationship with the Contractor. The Client will only conduct inspections to the necessary extent and will not cause disproportionate disruption to the Contractor's operations.
  3. The Contractor shall, upon request of the Client, provide suitable evidence of compliance with the obligations pursuant to Article 28(1) and (4) GDPR. This evidence may be provided by supplying documents and certificates that reflect approved codes of conduct within the meaning of Article 40 GDPR or approved certification mechanisms within the meaning of Article 42 GDPR.

  1. Data Protection Officer of the Contractor

The data protection officer of the Contractor is listed in No. 3 of the Annex GTC-DP, insofar as the Contractor is required to appoint a data protection officer or has appointed one voluntarily.

  1. Confidentiality
  1. The Contractor confirms that they are familiar with the relevant data protection regulations of the GDPR applicable to order processing. They will maintain confidentiality when processing the Client's personal data. This obligation continues even after the termination of the Main Contract.
  2. The Contractor warrants that it will familiarize its employees involved in carrying out the work with the applicable data protection regulations. It will obligate these employees, by written agreement, to maintain confidentiality for the duration of their employment and even after its termination, unless they are subject to an appropriate statutory duty of confidentiality. The Contractor will monitor compliance with data protection regulations within its company.
  3. The Contractor may only disclose information to third parties or affected parties with the prior written consent or consent in an electronic format from the Client.

  1. Technical and Organizational Measures
  1. The Contractor shall implement appropriate technical and organizational measures to ensure that processing is carried out in accordance with the requirements of the GDPR and that the rights of the data subject are protected. The Contractor shall structure its internal organization in such a way that it meets the specific requirements of data protection and achieves an appropriate level of protection. In particular, the Contractor shall ensure, considering the current state of the art, the appropriate security of the processing, especially the confidentiality (including pseudonymization and encryption), availability, integrity, and resilience of the systems and services used for data processing.
  2. The technical and organizational measures are set out in the Annex GTC-DP and may be adapted to technological advancements during the course of the contractual relationship. The adapted measures must at least meet the security level of the measures agreed upon in No. 4 of the Annex GTC-DP. Significant changes must be agreed upon in writing.

  1. Information Obligations of the Contractor, Breach of Personal Data Protection
  1. The Contractor shall inform the Client immediately of any violations or suspected violations of these GTC-DP or regulations concerning the protection of personal data.
  2. The Contractor assists the Client in investigating, mitigating damages and remedying the violations.
  3. Should the personal data processed under this agreement be jeopardized by seizure or attachment, insolvency or composition proceedings, or other events or actions by third parties, the Contractor shall inform the Client immediately. The Contractor shall also immediately inform all relevant bodies that the Client has regained control of the data.
  4. Insofar as audits are conducted by data protection supervisory authorities, the Contractor undertakes to inform the Client of the results, insofar as they relate to the processing of personal data under these General Terms and Conditions. The Contractor will rectify any deficiencies identified in the audit report without undue delay and inform the Client accordingly.
  5. This § 10 applies accordingly to incidents in processes carried out by Subcontractors.

  1. Subcontractors
  1. The contractually agreed services will be performed with the involvement of the Subcontractors listed in No. 5 Annex GTC-DP. Within the scope of its contractual obligations under the Main Contract, the Contractor is authorized to establish further subcontracting relationships with Subcontractors.
  2. Before establishing further subcontracting relationships or replacing Subcontractors, the Contractor shall inform the Client in writing. The Client may object to the change in writing, stating the reasons, within four weeks of receiving the information from the Contractor. If no objection is received within this period, the change shall be deemed accepted. If the Client objects to the change, the Contractor is entitled to terminate the Main Contract prematurely with one month's notice.
  3. The Contractor must contractually ensure that the provisions agreed upon in these GTC-DP also apply to Subcontractors. The Contractor's contract with the Subcontractor must be concluded in writing or in electronic form. The engagement of Subcontractors in third countries is only permitted if the specific requirements of Articles 44 et seq. of the GDPR are met.
  4. The Client gives his consent to the engagement of the Subcontractors listed in No. 5 of the Annex GTC-DP upon conclusion of the Main Contract.
  5. The Contractor shall ensure that the Client has the same rights of instruction and control over the Subcontractor as it has over the Contractor under these General Terms and Conditions. If a Subcontractor fails to comply with its data protection obligations, the Contractor shall be liable to the Client for ensuring that the Subcontractor complies with its obligations.

  1. Deletion and Return of Personal Data
  1. Upon completion of the processing services agreed upon in the Main Contract, the Contractor is obligated, at the Client's discretion, to either return or delete all personal data received during the processing. This includes, in particular, the results of the data processing, documents and data carriers provided, and copies of the personal data. The obligation to delete or return the data does not apply if the Contractor is legally obligated under EU or member state law to retain the data. If a further obligation to retain the data exists, the Contractor must restrict the processing of the personal data and use the data only for the purposes for which the retention obligation exists. The obligations regarding the security of the processing remain in effect for the duration of the retention period. The Contractor must delete the data immediately as soon as the obligation to retain it ceases.
  2. The deletion must be carried out in such a way that the data cannot be recovered.
  3. The processes must be documented, including the date and the person who carried them out. This documentation, along with written proof of completion, must be provided to the Client upon request within 14 days of the processes being carried out.

  1. Liability

The Contractor is liable, within the framework of the statutory provisions, for damages arising from culpable conduct in violation of data protection regulations or this data protection agreement. Likewise, the Contractor is liable for culpable conduct by its Subcontractors and their Subcontractors. Furthermore, the Client and Contractor are liable to data subjects in accordance with the provisions of Article 82 GDPR.

  1. Final Provisions
  1. The right to withhold data is excluded.
  2. The Annex GTC-DP forms an essential part of the Main Contract. In case of any discrepancies with the Main Contract or the Contractor's general terms and conditions, the provisions of these GTC-DP take precedence over the provisions of the Main Contract and the Contractor's general terms and conditions.
  3. The provisions governing amendments to these GTC-DP shall apply accordingly to amendments to the Contractor's General Terms and Conditions; § 11(2) remains unaffected. The Client shall only amend these GTC-DP if this is necessary for the performance of the Main Contract or for compliance with data protection regulations.
  4. If any provision of these GTC-DP proves to be invalid, this shall not affect the validity of the remaining provisions of the General Terms and Conditions.
  5. These GTC-DP are governed by German law. The exclusive place of jurisdiction for all disputes arising from this contract is the registered office of the Contractor.