This agreement (hereinafter the "DPA") specifies the data protection obligations of the parties in connection with the use of the ZAGRO Group App and constitutes processing on behalf of a controller pursuant to Art. 28 GDPR.
Controller (hereinafter the "Client"): [PLACEHOLDER: company, address of the B2B customer]
Processor (hereinafter the "Contractor"): ZAGRO Bahn- und Baumaschinen GmbH, Mühlstraße 11–15, 74906 Bad Rappenau, Germany (represented by the managing directors Wolfgang Zappel and Wikko Zappel)
The Contractor processes personal data exclusively on behalf of and on the instructions of the Client within the scope of providing the App. Insofar as the Contractor processes data for its own purposes (e.g. its own product-liability preservation of evidence, contract processing with the Client), it is an independent controller in this respect; this DPA does not apply to that.
1.1 Subject: Processing of personal data of the Client's employees/users within the scope of the App functions (in particular training/proof management, vehicle/maintenance assignment, support).
1.2 Duration: The DPA applies for the term of the underlying main contract on the use of the App and ends with its termination, subject to continuing deletion/return obligations (section 11).
2.1 Nature of processing: Collection, recording, organization, storage, adaptation, retrieval, use, provision, restriction and deletion within the App.
2.2 Purpose: Provision of the contractually agreed App functions for the Client and its users.
3.1 Types of data: Master data (name, email, phone, language), access data, organization/role assignment, training and test results, certificate data, vehicle/maintenance assignments, support/ticket content, usage/log data.
3.2 Categories of data subjects: Employees and designated users of the Client.
The Contractor undertakes to:
4.1 process personal data exclusively within the scope of the Client's documented instructions, unless there is a legal obligation to process otherwise (in which case prior notification, insofar as permissible);
4.2 maintain confidentiality and ensure that the persons authorized to process the data are committed to confidentiality or are subject to a statutory duty of confidentiality;
4.3 implement the required technical and organizational measures under Art. 32 GDPR (Annex 1);
4.4 comply with the conditions for engaging additional processors (sub-processors) (section 6);
4.5 support the Client in fulfilling data subject rights (Art. 12–23 GDPR) through appropriate technical and organizational measures, insofar as possible;
4.6 support the Client in complying with the obligations under Art. 32–36 GDPR (data security, breach notification, data protection impact assessment);
4.7 provide the Client with all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and to enable reviews (audits) (section 8);
4.8 inform the Client without undue delay if it is of the opinion that an instruction violates data protection regulations.
5.1 The Client is responsible for the lawfulness of the processing and for safeguarding data subject rights (controller within the meaning of the GDPR).
5.2 The Client generally issues instructions in text form or via the functions provided for this purpose in the App. Verbal instructions must be confirmed in text form without undue delay.
5.3 The Client names a contact point authorized to issue instructions: [PLACEHOLDER: Client's contact person].
6.1 The Client consents to the engagement of the sub-processors named in Annex 2 at the time of conclusion of the contract (general authorization).
6.2 The Contractor informs the Client in good time about intended changes (addition/ replacement). The Client may object for important data protection reasons within 14 days.
6.3 The Contractor obligates sub-processors to an equivalent level of data protection (Art. 28(4) GDPR).
The measures taken under Art. 32 GDPR are described in Annex 1. The Contractor may further develop these as long as the level of protection is not reduced.
8.1 The Client has the right to satisfy itself of compliance with this agreement.
8.2 Evidence may primarily be provided through appropriate documentation, certifications or audit reports. On-site inspections take place after reasonable prior notice, without disrupting operations, and while safeguarding the confidentiality and security interests of third parties.
The Contractor reports breaches of the protection of personal data to the Client without undue delay after becoming aware of them and supports the Client in its notification obligations (Art. 33, 34 GDPR).
Processing outside the EU/EEA takes place only if the requirements of Art. 44 et seq. GDPR are met (e.g. adequacy decision or appropriate safeguards such as standard contractual clauses). Status: The App infrastructure is operated by the Contractor on its own premises (on-premises, EU). A third-country transfer only occurs indirectly when sending email notifications via Microsoft 365 (Microsoft is certified under the EU-US Data Privacy Framework; processing primarily within the EU Data Boundary). No transfer beyond this takes place.
11.1 Upon termination of the processing, the Contractor deletes the personal data at the Client's choice or returns it, unless a statutory retention obligation precludes this.
11.2 Product liability note: Training records/certificates may be subject to statutory retention or a legitimate interest in preserving evidence. In this respect, the Contractor may be entitled or obliged to further storage as an independent controller; this must be recorded separately (see speicherfristen-rechtsgrundlagen.en.md).
The liability provision of the main contract applies. Statutory liability under Art. 82 GDPR remains unaffected.
13.1 In the event of contradictions between this DPA and the main contract, the provisions of this DPA take precedence in data protection matters.
13.2 German law applies. Changes require text form.
Infrastructure/hosting and the ticketing system (Zammad) are operated by the Contractor itself on-premises and are therefore not sub-processors. External sub-processor used:
| Sub-processor | Service | Registered office/location of processing |
|---|---|---|
| Microsoft Ireland Operations Ltd. (Microsoft 365 / Exchange Online) | Sending of email notifications | Dublin (Ireland) / EU Data Boundary; DPF-certified |
Note: When loading map tiles (if the map view is enabled), the end device's IP address is transmitted to the OpenStreetMap tile server (UK). This is not processing on behalf of a controller but independent processing by the Provider (see Privacy Policy, sections 5.4 and 6. and therefore not a sub-processing relationship.