Order processing contract

Version October 2023

Agreement on order processing

Agreement on order processing

Agreement on order processing

Regulations on data protection and data security in contractual relationships

according to Art. 28 GDPR

Shiftmove GmbH

Warschauer Straße 57

10243 Berlin

- hereinafter referred to as "Processor" -

and you

- hereinafter referred to as the "Controller" -

- hereinafter jointly referred to as the "Contracting Parties"


This Data Processing Agreement (" DPA ") pursuant to Art. 28 GDPR is part of our General Terms and Conditions ("Main Agreement") concluded between our users and Shiftmove GmbH and can be accessed here: https://www.shiftmove.com/legal/agb.  According to this agreement, this DPA applies to the processing of your personal data in the context of the provision of our product.

The agreement is based on the provisions of the GDPR and the BDSG.

‍§ 1 Subject matter of the contract; nature and purpose of the processing; type of personal data, categories of data subjects

(1) The subject matter of the contract is the provision of Software-as-a-Service services from the Shiftmove Group's range ("Services"). The type and purpose of the processing are defined in Annex 1a.

(2) The categories of persons concerned are defined in Annex 1b.

(3) The type of personal data processed is defined in Annex 1c.

(4) Annex 1 is an integral part of this agreement.

(5) The controller shall instruct the processor to process this data for these purposes.

§ 2 Duration of the order

The duration of this order (term) corresponds to the term of the main contract.

§ 3 Responsibility and authority to issue instructions

(1) The Controller shall be responsible for compliance with the provisions of data protection law, in particular for the lawfulness of the transfer of data to the Processor and for the lawfulness of the data processing (Art. 4 No. 7 GDPR). The processor shall not use the data for any purposes other than those specified in this data processing agreement and in the main contract and, in particular, is not authorized to pass them on to third parties. Copies and duplicates will not be made without the knowledge of the controller. Anything to the contrary shall only apply to the extent specified in paragraph 2.

(2) The processor shall process personal data only on the documented instructions of the controller, unless there is another obligation under Union law or the law of the Member State to which the processor is subject. In the event of another obligation, the processor shall inform the controller of the relevant legal requirements without undue delay prior to processing.

(3) If the processor is of the opinion that an instruction violates data protection regulations, it shall inform the controller immediately in accordance with Art. 28 para. 3 sentence 3 GDPR. Until the corresponding instruction has been confirmed or amended, the processor shall be entitled to suspend the implementation of the instruction.

(4) Changes to the object of processing with procedural changes must be jointly agreed and documented. The processor may only provide information to third parties or the data subject with the prior written consent of the controller.

§ 4 Confidentiality

When carrying out the work, the processor shall only use employees who have been bound to confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b GDPR and who have previously been familiarized with the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data may only process this data in accordance with the Controller's instructions, including the powers granted in this Data Processing Agreement, unless they are legally obliged to do so.

§ 5 Data security

(1) Die Vertragsparteien vereinbaren die in dem Appendix 2 "Technical and organizational measures" The specific data security measures laid down in this agreement in accordance with Art. 28 para. 3 lit. c GDPR in conjunction with Art. 32 para. 1 GDPR in order to ensure the security of the processing on behalf. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account.

(2) Appendix 2 is an integral part of this agreement.

(3) The processor shall observe the principles of proper data processing. It shall guarantee the contractually agreed and legally prescribed data security measures. The technical and organizational measures are subject to technical progress and further development. In this respect, the processor is permitted to implement alternative adequate measures. In doing so, the security level of the defined measures must not be undercut. Significant changes must be documented and communicated to the controller in writing.

§ 6 Inclusion of further processors (subcontractors)

(1) For the purposes of this regulation, subcontractors are further processors whose services are directly related to the provision of the main service. This does not include ancillary services which the processor uses, e.g. as telecommunications services, postal/transport services and cleaning. However, the processor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the controller's data, even in the case of outsourced ancillary services.

(2) The use of subcontractors or a change of the existing subcontractor is permitted, provided that:

  • the processor notifies the controller of such outsourcing to subcontractors a reasonable time in advance in writing or in text form, and
  • the controller does not object to the planned outsourcing in writing or in text form to the processor by the time the data is transferred.

(3) A contractual agreement shall be concluded with the subcontractor in accordance with Art. 28 (3) and (4) GDPR.

(4) The transfer of personal data of the controller to the subcontractor and the subcontractor's initial activities are only permitted once all legal requirements for subcontracting have been met. The subcontractors approved by the controller at the time the contract is concluded are listed under https://vimcar.com/data-protection/subcontractors and https://www.avrios.com/de/legal/sub-processors  and can be updated by the processor.

(5) Affiliated companies of the Shiftmove Group are commissioned as subcontractors.

(6) Any transfer of data processing to a third country requires the prior documented instruction of the controller (Art. 28 para. 3 lit. a GDPR) and may only take place if the special requirements of Art. 44-49 GDPR are met.

§ 7 Rights of data subjects

(1) The processor is obliged to support the controller with appropriate technical and organizational measures, where possible, to comply with the obligations to respond to requests to safeguard the rights of data subjects referred to in Art. 12 to 22 GDPR (Art. 28 para. 3 sentence 2 lit. e GDPR).

(2) Insofar as the data subject has a right to data portability vis-à-vis the controller, the processor shall ensure that the controller can receive the personal data processed in the processor's area of responsibility in a structured, commonly used and machine-readable format.

(3) The processor may only disclose, rectify, erase or restrict the processing of personal data in accordance with documented instructions from the controller (Art. 28 para. 3 sentence 2 lit. g GDPR).

(4) If a data subject contacts the data processor directly to assert their rights pursuant to Art. 12 to 22 GDPR, the data processor shall forward the request to the data controller without delay.

(5) The processor may only provide information to third parties or data subjects with the prior written consent of the controller.

(6) The controller is responsible for informing data subjects in accordance with Art. 12 and 13 GDPR. Necessary information in connection with this obligation, which is only available to the processor, will be made available to the controller upon request.

§ 8 Obligations of the processor

In addition to complying with the provisions of this contract, the processor must comply with the statutory obligations pursuant to Art. 28 to 36 GDPR. In this respect, it shall ensure compliance with the following requirements in particular:

  1. If the processor is legally obliged to appoint a data protection officer in writing in accordance with Art. 37 GDPR, § 38 BDSG, the processor shall provide the controller with the contact details of the data protection officer for the purpose of direct contact. The controller must be notified immediately of any change of data protection officer.
  1. The external data protection officer at the processor is

Herr Dr. Niels-Christian Haag

c/o intersoft consulting services GmbH

Schöneberger Ufer 47 

D-10785 Berlin

Telephone: +49 40 790 235 - 402
E-Mail: dsb-vimcar@intersoft-consulting.de


(2) The Processor shall support the Controller in complying with the obligations set out in Art. 32 - 36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes in particular

  • ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and enable the immediate detection of relevant breach events
  • the obligation to inform the controller without undue delay if the processor becomes aware of a personal data breach (Art. 28 (3) (f), Art. 33 (2) GDPR);
  • the obligation to support the controller in the context of his duty to inform the data subject and to provide him with all relevant information in this context without delay;
  • the support of the controller for its data protection impact assessment;
  • the support of the controller in the context of prior consultations with the supervisory authority.

§ 9 Control rights of the controller, Art. 28 para. 3 sentence 2 lit. h GDPR

(1) The processor undertakes to provide the controller, upon written request and within a reasonable period of time, with all information and evidence necessary to carry out a check by written procedure.

(2) The controller shall verify the technical and organizational measures of the processor before commencing data processing and regularly thereafter. This shall primarily be done by

  • Obtaining information from the processor or
  • Independent test reports and certifications

take place.

If the controller has reasonable grounds to doubt the accuracy of the audit reports or certifications, or if there are incidents within the meaning of Art. 33 (1) GDPR in connection with the performance of the data processing, the controller may carry out on-site inspections. These must generally be carried out as random checks in the areas relevant to the execution of the order processing. The processor must be notified of these in writing in good time in advance, usually at least 14 calendar days (exception e.g. in the case of special incidents). The same applies to on-site inspections without cause. The exercise of the right of inspection must not unduly disrupt the processor's business operations or be abusive. The costs incurred by the inspection of the processor shall be borne by the controller.

(3) A record of the inspection and its results shall be drawn up by the person responsible.

§ 10 Liability

(1) The controller shall be responsible for compensation for damages suffered by a data subject due to unauthorized or incorrect data processing or use within the scope of the contractual relationship. The processor shall support the controller to the best of its ability in the defense against claims by data subjects or in the event of regulatory measures.

(2) Insofar as the controller is obliged to pay damages to the data subject, the controller reserves the right of recourse against the processor if the processor has culpably breached the obligations arising from this contract or from the BDSG, the GDPR and other data protection regulations or has acted contrary to the express instructions of the controller (Art. 82 para. 2 GDPR).

§ 11 Termination of the contract (Art. 28 para. 3 sentence 2 lit. g GDPR)

(1) Upon completion of the provision of the processing services, the processor shall either delete or return all personal data at the discretion of the controller, unless there is a legal obligation to store the personal data.

(2) In this case, the Processor shall confirm to the Controller in text form, stating the date and without further request, that it has returned to the Controller or destroyed or securely deleted all data carriers and other documents that may have been provided to it and has therefore not retained any of the Controller's data.

(3) Documentation that serves as proof of proper data processing shall be retained by the processor beyond the end of the contract in accordance with the respective retention periods.

§ 12 Final provisions

(1) Data carriers and data records provided shall remain the property of the controller.

(2) Should one or more provisions of this agreement be invalid, this shall not affect the validity of the remaining provisions. In the event of the invalidity of one or more provisions, the contracting parties shall immediately replace the invalid provision with a provision that most closely corresponds to the invalid provision in terms of commercial and data protection law.

(3) Insofar as other agreements at the time of the conclusion of this contract contain provisions to the contrary or contradict this contract, the contents of this contract shall take precedence.

(4) The following annexes are an integral part of this agreement:

Appendix 1

Information on processing

a. Object and purpose of the processing

The subject of the order is the provision of one or more of the following services as Software-as-a-Service:

  • Software for fleet management (Avrios),
  • Live tracking and route documentation (Vimcar Fleet Geo),
  • electronic logbook (driver's logbook).

The details of the order are set out in the contract between the contracting parties for one or more of these services, to which reference is made here (hereinafter referred to as the "main contract").

b. Categories of data subjects and personal data

When providing the Services, personal data of the following categories of data subjects may be processed on a regular basis:

  1. Drivers (former and current employees and their spouses and dependents, current contractors as well as applicants, candidates and future employees);
  2. Users (authorized users of the customer (who are not drivers) who are entitled to use the services);
  3. Third parties (customers, business partners, suppliers, consultants, representatives, freelancers and/or subcontractors of the customer (natural persons)).
c. Type of data processed
Avrios fleet management:
  • First name, last name, address, gender
  • Internal ID, cost center, organization, department, location, industry and sub-industry, reporting structure
  • If applicable, other address information, such as temporary residence
  • Date and place of birth, language, nationality, right of residence, marital status, details of dependents, national identification number
  • Date of entry and, if applicable, date of exit
  • Information on salary planning (fringe benefits relating to company cars), service specifications and related information (entitlement to company car and class of company car)
  • Telephone number, fax number, cell phone number, e-mail address
  • Driving license picture
  • License plate, chassis number
Vimcar Fleet Geo / logbook:
  • First name, last name
  • E-mail address, telephone number, cell phone number
  • Logbook data (only when using the electronic logbook);
  • Trip data while driving (only when using the electronic logbook, live location and route documentation, hardware-related);
  • VIN (Vehicle Identification Number; only when using the electronic logbook, live tracking and route documentation);
  • Test parameters for carrying out the automated driver's license check (optional when using the driver's license check)
  • Technical vehicle data (e.g. repair status), photos of vehicles (optional when using the claims management system)

Appendix 2

Technical and organizational measures

1. confidentiality (Art. 32 para. 1 lit. b GDPR)
a. Access control (unauthorized access must be prevented (spatially))
  • Authorization cards
  • Access control (unauthorized access must be prevented (spatially))
  • Authorization cards
  • Electronic access code cards/ access transponders
  • Key regulation, instructions for issuing keys
  • Accompaniment of visitor access by our own employees
  • Security also outside working hours through plant security
  • Separately secured access to the data center
  • Storage of servers in locked rooms
b. Access control (preventing unauthorized persons from accessing or using the IT systems)
  • Encryption of networks: Encryption algorithms used: SSH, HTTPS, TLS 1.2
  • Password protection for computer workstations
  • Use of individual passwords
  • Automatic blocking of user accounts after multiple incorrect password entries
  • Password policy with minimum password complexity requirements:
    • At least 8 digits / upper and lower case, special characters, number (of which at least 3 criteria)
    • Prevention of trivial passwords (e.g. dog1, dog2, dog3)
    • Hashes are "salted" (salt) or "peppered" (pepper)
  • Process for assigning rights when new employees join the company
  • Process for revoking rights when employees change departments
  • Process for withdrawing rights when employees leave the company
  • Obligation of confidentiality
  • Logging and evaluation of system usage
c. Access control (prevention of unauthorized activities in IT systems outside of granted authorizations)
  • Rules for restoring data from backups (who, when, at whose request)
  • Restriction of free and uncontrolled database queries
  • Partial access options to databases and functions (Read, Write, Execute)
  • Logging of file accesses
  • Logging of file deletions
  • Are appropriate security systems (software/hardware) used?
    • Firewalls
    • SPAM-Filter
  • Encrypted data storage
    • Encryption algorithms used: AES 256 AWS at rest encryption
d. Separation control (separate processing of data collected for different purposes)
  • Separation of customers (multi-client capability of the system used)
  • Logical data separation (e.g. based on customer or client numbers)
  • Separation of development, test and production systems

2. integrity (Art. 32 para. 1 lit. b GDPR
a. Disclosure control (aspects of the disclosure (transfer) of personal data must be regulated)^
  • Separation of development, test and production systems
  • Data exchange via https connection
    • encryption algorithms used: SSL-based: Free-BSD, SSH, HTTPS)
    • Hash function used: bcrypt
    • Hashes are "salted" (salt) or "peppered" (pepper)
  • Encryption of confidential data carriers
  • Encryption of laptop hard disks
b. Input control (traceability and documentation of data management and maintenance)
  • Definition of user authorizations (profiles)
  • Differentiated user authorizations (read, change, delete)
  • Partial access to data or functions
  • Commitment to data secrecy
  • Log concept that goes beyond the OS standard
  • Dedicated log server
  • Regulation of access authorizations for log servers (LogAdmin)

3. availability and resilience Art. 32 para. 1 lit. b GDPR (protection against accidental destruction or loss)
a. Availability control
  • Data protection and backup concepts
  • Implementation of data protection and backup concepts
  • Restrict access to server rooms to essential personnel only
  • Fire alarm systems in server rooms
  • Smoke detectors in server rooms
  • Air-conditioned server rooms
  • Lightning/overvoltage protection
  • Ensuring the technical readability of backup storage media for the future
  • Disaster or emergency plan (e.g. water, fire, explosion, threat of attack, crash, earthquake)
  • UPS system (uninterruptible power supply)
  • Power generator
b. Resilience and resilience control (ability to deal with risk-related changes, tolerance and resilience to disruptions)
  • Backup data centers available (hot or cold standby?): Hot
  • Redundant power supply
  • Redundant UPS system
  • Redundant power generators
  • Hard disk mirroring
  • Load balancer
  • Data storage on RAID systems (RAID 1 and higher)
  • Delimitation of critical components
  • System hardening (deactivation of unnecessary components)
  • Immediate and regular activation of available software and firmware updates:
    • Use of redundant systems to maintain operation while the main devices are updated.
    • Progressive deployment of updates/patches to detect issues early without impacting multiple devices.
    • Establish a test period to verify the correct implementation of the update and ensure that operations continue to run smoothly with the new updates.
  • Safety is included as a key consideration during the design phase of the systems:
    • Definition of security measures to protect and validate communication between system components.
    • Limitation of authorizations to the extent necessary.
    • xExternal processors and maintenance personnel are given specific access that is only active during the intervention and deactivated the rest of the time.

4. procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

a. Control procedures (procedures for regularly reviewing, assessing and evaluating the effectiveness of data security measures)

  • Internal procedure directories are updated at least once a year
  • Notification of new/changed data processing procedures to the data protection officer
  • Notification of new/changed data processing procedures to the IT security officer
  • Processes for reporting new/changed procedures are documented
  • Data protection-friendly default settings are selected
  • Security measures taken are subject to regular internal checks
  • If the aforementioned review is negative, the safety measures are adapted, renewed and implemented on a risk-related basis
b. Order control (ensuring data processing by service providers in accordance with instructions)
  • Drafting contracts in accordance with legal requirements (Art. 28 GDPR)
  • Central recording of existing service providers (standardized contract management)
  • Regular checks on the processor after the start of the contract (during the term of the contract)
  • Review of the data security concept at the processor
  • Inspection of existing IT security certificates of the processors