Order processing contract

Version May 2024

Agreement on order processing

Agreement on order processing

Agreement on order processing

Regulations on data protection and data security in contractual relationships

according to Art. 28 GDPR

Shiftmove GmbH

Warschauer Straße 57

10243 Berlin

- hereinafter referred to as "Processor" -

and you

- hereinafter referred to as the "Controller" -

- hereinafter jointly referred to as the "Contracting Parties"


This Data Processing Agreement ("DPA") pursuant to Art. 28 GDPR is part of our General Terms and Conditions ("Main Agreement") concluded between our users and Shiftmove GmbH and can be accessed here: https://www.shiftmove.com/legal/agb.  In accordance with this agreement, this DPA applies to the processing of your personal data in the context of the provision of our product.

The agreement is based on the provisions of the GDPR and the BDSG.

§ 1 Subject matter, type and purpose of processing; type of personal data, categories of date subjects

(1) The subject matter of the processing is the provision of one or multiple services as a Software-as-a-Service from the Shiftmove Group ("Services"). The nature and purpose of the processing are defined in Annex 1a. The type of processing is listed in Appendix 1b.

(2) The categories of data subjects are defined in Appendix 1c.

(3) The type of personal data processed is defined in Appendix 1d.

(4) Appendix 1 is part of this agreement.

(5) The Controller instructs the Processor to process this data for these purposes.

§ 2 Duration of the order

The duration of this order (term) corresponds to the term of the Main Agreement.

§ 3 Responsibility and authority to issue instructions

(1) The Controller shall be responsible for compliance with the provisions of data protection law, in particular for the lawfulness of the transfer of data to the Processor and for the lawfulness of the data processing (Art. 4 No. 7 GDPR). The Processor shall not use the data for any purposes other than those specified in this data processing agreement as well as the main Agreement and, in particular, is not authorised to pass them on to third parties not covered by § 6 of this agreement. Copies and duplicates will not be made without the knowledge of the Controller. Anything to the contrary shall only apply to the extent specified in § 3 (2) of this agreement.

(2) The Processor shall process personal data only on the documented instructions of the Controller, unless there is another obligation under Union law or the law of the Member State to which the Processor is subject. In the event of another obligation, the Processor shall inform the Controller of the corresponding legal requirements without delay prior to such processing, if legally permitted.

(3) If the Processor is of the opinion that an instruction of the Controller violates data protection regulations, it shall inform the Controller immediately in accordance with Art. 28 (3) GDPR. Until the corresponding instruction has been confirmed or amended, the Processor is authorised to suspend the processing based on the violating instruction.

(4) Changes to the object of processing must be jointly agreed and documented. The Processor may only provide information to third parties or the data subject with the prior written consent of the Controller.

§ 4 Confidentiality

The Processor shall only give access to Controller personal data to employees who have been bound to confidentiality in accordance with Art. 28 (3) (b) GDPR and who have received dedicated training on the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data may only process this data in accordance with the Controller's instructions, including the authorisations granted in this Data Processing Agreement, unless they are legally obliged to do so.

§ 5 Date security

(1) The contracting parties agree on the specific data security measures set out in Appendix 2 "Technical and organisational measures" to this agreement in accordance with Art. 28 (3) (c) GDPR in conjunction with Art. 32 (1) GDPR in order to ensure the security of the processing on behalf. The measures to be implemented by the Processor are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of data subjects  within the meaning of Art. 32 (1) GDPR will be taken into account by the Processor when implementing such measures.

(2) Appendix 2 is an integral part of this agreement.

(3) The Processor shall observe the principles of proper data processing. It shall guarantee the contractually agreed and legally required data security measures. The technical and organisational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the defined measures must not be undercut. Significant changes must be documented and communicated to the Controller in writing.  

(4) In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Art. 33, 34 GDPR, taking into account the nature of the processing and the information available to the Processor.

(5) In the event of a personal data breach in connection with the data processed by the Processor, the Processor shall notify the Controller without undue delay after becoming aware of the breach. This notification shall contain at least the following information:

  • a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects affected and the approximate number of data records affected);
  • contact details of a contact point where further information about the personal data breach can be obtained;
  • the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.

§ 6 Inclusion of further Processors (subcontractors)

(1) For the purposes of this agreement, subcontractors are further Processors whose services are directly related to the provision of the main service. This does not include ancillary services which the Processor utilises, e.g. as telecommunications services, postal/transport services and cleaning. However, the Processor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Controller's data, even in the case of outsourced ancillary services.

(2) The use of subcontractors or the change of the existing subcontractor is permitted, provided that:

  • the Processor notifies the Controller of such outsourcing to subcontractors 14 calendar days in advance in writing or in text form, and
  • the Controller does not object to the planned outsourcing in writing or in text form to the Processor by the time the data is transferred.

(3) A contractual agreement shall be concluded with the subcontractor in accordance with Art. 28 (3) and (4) GDPR.

(4) The transfer of personal data of the Controller to the subcontractor and the subcontractor's initial activities are only permitted once all legal requirements for subcontracting have been met. The subcontractors authorised by the Controller at the time the contract are listed in Appendix 3. The subcontractors of the subcontracting entities can be viewed under the links https://vimcar.de/datenschutz/subunternehmer and https://www.avrios.com/de/legal/sub-Processors.

(5) Affiliated companies of the Shiftmove Group are commissioned as subcontractors.

(6) Any transfer of data processing to a third country requires the prior documented instruction or authorisation of the Controller and may only take place if the special requirements of Art. 44-49 GDPR are met.

(7) Appendix 3 is part of this agreement.

§ 7 Rights of date subjects

(1) The Processor is obliged to support the Controller with appropriate technical and organisational measures, where possible, to comply with the obligations to respond to requests of data subjects exercising their rights under Art. 12 to 22 GDPR (Art. 28 (3) (e) GDPR).

(2) Insofar as the data subject has a right to data portability vis-à-vis the Controller, the Processor shall ensure that the Controller can receive the personal data processed in the Processor's area of responsibility in a structured, commonly used and machine-readable format.    

(3) The Processor may only disclose, rectify, erase or restrict the processing of personal data in accordance with documented instructions from the Controller (Art. 28 (3) (g) GDPR).

(4) If a data subject contacts the Processor directly in order to exercise their rights pursuant to Art. 12 to 22 GDPR, the Processor shall forward the request to the Controller without undue delay.

(5) The Processor may only provide information to third parties or data subjects with the prior written authorisation  of the Controller.

(6) The Controller is responsible for informing data subjects in accordance with Art. 12 and 13 GDPR. Necessary information in connection with this obligation, which is only available to the Processor, will be made available to the Controller upon request.

§ 8 Obligations of the Processor

In addition to complying with the provisions of this contract, the Processor must comply with the obligations pursuant to Art. 28 to 36 GDPR. In this respect, the Processor shall in particular ensure compliance with the following requirements:

  1. If the Processor is legally obliged to appoint a data protection officer in writing in accordance with Art. 37 GDPR, § 38 BDSG, the Processor shall provide the Controller with the contact details of the data protection officer for the purpose of direct contact. The Controller must be notified immediately of any change of data protection officer.

  2. The external data protection officer at the Processor is
    clever datenschutz GmbH
    E-Mail: privacy@shiftmove.com

(2) The Processor shall support the Controller in complying with the obligations set out in Art. 32 - 36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes in particular

  • ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and enable the immediate detection of relevant breach events
  • the obligation to inform the Controller without undue delay if the Processor becomes aware of a personal data breach (Art. 28 (3) (f), Art. 33 (2) GDPR);
  • the obligation to support the Controller in the context of his duty to inform the data subject and to provide him with all relevant information in this context without delay;
  • the support of the Controller for its data protection impact assessment;
  • the support of the Controller in the context of prior consultations with the supervisory authority.

§ 9 Control rights of the Controller, Art. 28 para. 3 sentence 2 lit. h GPDR

(1) The Processor undertakes to provide the Controller, upon written request and within a reasonable period of time, with all information and evidence necessary to carry out a written inspection.

(2) The Controller shall verify the technical and organisational measures of the Processor before commencing data processing and thereafter on a regular basis. This shall primarily be done by

  • Obtaining information from the Processor, or
  • Independent test reports and certifications

take place.

If the Controller can assert justified doubts about the accuracy of the test reports or certifications on the basis of factual evidence, if there are incidents within the meaning of Art. 33 para. 1 GDPR in connection with the performance of data processing, or if documents submitted in advance do not provide the necessary evidence in full, the controller may carry out on-site inspections. The Processor must be notified of these in writing in good time in advance, but generally at least 14 calendar days (exception e.g. in the case of special incidents). The same applies to causeless on-site inspections. On-site inspections without cause can be carried out a maximum of once a year. The exercise of the right of inspection must not unduly disrupt the business operations of the Processor or be abusive. The Controller shall bear the actual costs caused by unprovoked on-site inspections of the Processor.

(3) A record of the inspection and its results shall be drawn up by the person responsible.

§ 10 Liability

(1) The liability of the parties shall be governed by Art. 82 GDPR. This shall not affect the Processor’s liability to the Controller for breach of obligations under this contract or the main contract.

(2) The parties shall release each other from liability if one party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. § 10 (2) sentence 1 shall apply accordingly in the event of a fine imposed on a party, whereby the indemnification shall be made to the extent that the respective other party bears a share of the responsibility for the breach sanctioned by the fine.

§ 11 Non-compliance with the clauses and termination of the contract (Art. 28 (3) (g) GDPR)

(1) Without prejudice to any provisions of the GDPR, in the event that the Processor is in breach of its obligations under these Clauses, the controller may instruct the Processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The Processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(2) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

  • the processing of personal data by the Processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
  • the Processor is in persistent breach of these Clauses or its obligations under the GDPR;
  • the Processor fails to comply with a binding decision of a competent court or the competent supervisory authorities regarding its obligations pursuant to these Clauses or the GDPR.

(3) The Processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(4) Upon completion of the provision of the processing services, the Processor shall either delete or return all personal data at the discretion of the Controller, unless there is a legal obligation to store the personal data.

(5) In this case, the Processor shall confirm to the Controller in text form, stating the date and without further request, that it has returned to the Controller or destroyed or securely erased all data carriers and other documents that may have been provided to it and has therefore not retained any data of the Controller.

(6) Documentation that serves as proof of proper data processing shall be retained by the Processor beyond the end of the contract in accordance with the respective retention periods.

§ 12 Final provisions

(1) Data carriers and data records provided shall remain the property of the Controller.

(2) Should one or more provisions of this agreement be invalid, this shall not affect the validity of the remaining provisions. In the event of the invalidity of one or more provisions, the contracting parties shall immediately replace the invalid provision with a provision that most closely corresponds to the invalid provision in economic terms and in terms of data protection law.

(3) The contracting parties agree that Processor’s defense of the right of retention within the meaning of § 273 BGB (German Civil Code) with regard to the data to be processed and the associated data carriers is excluded.

(4) Insofar as other agreements at the time of the conclusion of this contract contain provisions to the contrary or contradict this contract, the contents of this contract shall take precedence.

(5) The following annexes form an integral part of this agreement: Appendix 1 "Information on processing",  Appendix 2 "Technical and organisational measures", Appendix 3 “Subcontractors”.

Appendix 1

Information on processing

a. Object and purpose of the processing

The subject of the processing is the provision of one or more of the following services as Software-as-a-Service:

  • Software for fleet management (Avrios) including the purposes:some text
    • Management of vehicles and drivers
    • Management of fines
    • Administration of fuel cards
    • Management of damage reports
    • Carrying out driver's license checks
    • Creation of reports and analyses
  • Live localisation and route documentation (Vimcar Fleet Geo) including the purpose:some text
    • Live tracking of vehicles
    • Route documentation of vehicles
    • Geo-fencing notification for vehicles
  • electronic logbook (logbook) including the purposes:some text
    • Route documentation of vehicles
    • Export of logbook data

Further details of the order are set out in the contract between the contracting parties for one or more of these services, to which reference is made here (hereinafter referred to as the "Main Agreement").

b. Type of processing

As part of the assignment, the Processor will carry out the following types of processing in accordance with Art. 4 No. 2 GDPR: Collection, recording, organization, ordering, storage, adaptation, alteration, retrieval, consultation, transmission, restriction, erasure and destruction of data.

c. Categories of data subjects and personal data

When providing the services, personal data of the following categories of data subjects may be processed on a regular basis:

  1. Drivers (former and current employees and their spouses and dependants, current contractors as well as applicants, candidates and future employees);
  2. Users (authorised users of the customer (who are not drivers) who are entitled to use the services);
  3. Third parties (customers, business partners, suppliers, consultants, representatives, freelancers and/or subcontractors of the customer (natural persons)).

d. Type of date processed

Avrios fleet management:

  • Tasks and comments
  • Fine notice information (addressee, amount, photos)
  • Entry date and exit date
  • Vehicle information (CO2 emissions, damage reports, license plate, chassis number)
  • Photos (driving license photos and portrait photos)
  • Driving license information
  • Contact information (telephone number, fax number, cell phone number, e-mail address)
  • Personal master data (first name, surname, address, gender, date and place of birth, language, nationality, residence permit, marital status, details of dependents, national identification number)
  • Company administration data (internal ID, cost centre, organization, department, location, sector and sub-sector, reporting structure)
  • Information on salary planning (fringe benefits relating to company cars), service specifications and associated information (entitlement to company car and class of company car)
  • Fuel card information (provider, costs, date, product)
  • Accident prevention regulation test results
  • Device data and IT usage data

Vimcar Fleet Geo:

  • First name, last name
  • E-mail address, telephone number, cell phone number
  • Logbook data
  • Trip data during the journey
  • Live tracking and route documentation;
  • VIN (Vehicle Identification Number)
  • Verification information for carrying out the automated driver's license check (optional when using the driver's license check)
  • Technical vehicle data (e.g. repair status), photos of vehicles (optional when using the damage management system)
  • Device data and IT usage dat

Vimcar Logbook:

  • First name, surname
  • E-mail address, telephone number, cell phone number
  • Logbook data
  • Trip data during the journey
  • Start and end point of trips
  • Kilometers driven
  • Categorization of private and business trips
  • Contact and address data
  • VIN (Vehicle Identification Number)
  • Test parameters for carrying out the automated driver's license check (optional when using the driver's license check)
  • Technical vehicle data (e.g. repair status), photos of vehicles (optional when using the damage management function)
  • Device data and IT usage dat

Appendix 2

Technical and organizational measures

1. confidentiality (Art. 32 para. 1 lit. b GDPR)
a. Access control (unauthorized access must be prevented (spatially))
  • Usage of key cards
  • Electronic access code cards/ access transponders
  • Documentation of key provisioning, instructions for issuing keys
  • Accompaniment of visitor access by our own employees
  • Security also outside working hours through security staff
  • Separately secured access to the data centre
  • Storage of servers in locked rooms
b. Access control (preventing unauthorised persons from accessing or using the IT systems) 
  • Encryption of networks: Encryption algorithms used: SSH, HTTPS, TLS 1.2
  • Password protection for workstations
  • Use of individual passwords
  • Automatic blocking of user accounts after multiple incorrect password entries
  • Password policy with minimum requirements for password complexity:some text
    • At least 8 digits / upper and lower case, special characters, number (of which at least 3 criteria)
    • Prevention of trivial passwords (e.g. dog1, dog2, dog3)
    • Hashes are "salted" (salt) or "peppered" (pepper)
  • Process for assigning rights when new employees join the company
  • Process for revoking rights when employees change departments
  • Process for withdrawing rights when employees leave the company
  • Obligation of confidentiality for employees
  • Logging and analysing system usage
c. Access control (prevention of unauthorised activities in IT systems outside of granted authorisations) 
  • Rules for restoring data from backups (who, when, at whose request)
  • Restriction of free and uncontrolled database queries
  • Partial access options to databases and functions (Read, Write, Execute)
  • Logging of file accesses
  • Logging of file deletions
  • Are appropriate security systems (software/hardware) used?some text
    • Firewalls
    • SPAM filter
  • Encrypted data storagesome text
    • Encryption algorithms used: AES 256 AWS at rest encryption
d. Separation control (seperate processing of data collected for different purposes)
  • Separation of customers (multi-client capability of the system used)
  • Logical data separation (e.g. based on customer or client numbers)
  • Separation of development, test and production systems

2. Integrity (Art. 32 para. 1 lit. b GDPR)
a. Disclosure control (aspects of the disclosure (transfer) of personal data must be regulated)
  • Separation of development, test and production systems
  • Data exchange via https connectionsome text
    • encryption algorithms used: SSL-based: Free-BSD, SSH, HTTPS)
    • Hash function used: bcrypt
    • Hashes are "salted" (salt) or "peppered" (pepper)
  • Encryption of confidential data carriers
  • Encryption of laptop hard drives
b. Input control (traceability and documentation of data management and maintenance)
  • Definition of user authorisations (profiles)
  • Differentiated user authorisations (read, change, delete)
  • Partial access to data or functions
  • Commitment to data secrecy
  • Log concept that goes beyond the OS standard
  • Dedicated log server
  • Regulation of access authorisations for log servers (LogAdmin)

3. Availability and resilience Art. 32 para. 1 lit. b GDPR (protection against accidental destruction or loss) 
a. Availability control
  • Data protection and backup concepts
  • Implementation of data protection and backup concepts
  • Restrict access to server rooms to essential personnel only
  • Fire alarm systems in server rooms
  • Smoke detectors in server rooms
  • Air-conditioned server rooms
  • Lightning/overvoltage protection
  • Ensuring the technical readability of backup storage media for the future
  • Disaster or emergency plan (e.g. water, fire, explosion, threat of attack, crash, earthquake)
  • UPS system (uninterruptible power supply)
  • Power generator
b. Resilience and resilience control (ability to deal with risk-related changes, tolerance and ability to compensate for disruptions)
  • Alternative data centres available (hot or cold standby?): Hot
  • Redundant power supply
  • Redundant UPS system
  • Redundant power generators
  • Hard disc mirroring
  • Load balancer
  • Data storage on RAID systems (RAID 1 and higher)
  • Delimitation of critical components
  • System hardening (deactivation of unnecessary components)
  • Immediate and regular activation of available software and firmware updates:some text
    • Use of redundant systems to maintain operation while the main devices are being updated.
    • Progressive deployment of updates/patches to detect problems early without affecting multiple devices.
    • Establish a test period to verify the correct implementation of the update and ensure that operations continue to run smoothly with the new updates.
  • Safety is included as a key consideration during the design phase of the systems:some text
    • Definition of security measures to protect and validate communication between system components
    • Limitation of authorisations to the extent necessary.
    • External Processors and maintenance personnel are given specific access that is only active during the intervention and deactivated the rest of the time.

4. Procedures for regular review, assessment and evaluation  (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
a. Control procedures (procedures for regularly reviewing, assessing and evaluating the effectiveness of data secruity measures) 
  • Internal procedure directories are updated at least annually
  • Notification of new/changed data processing procedures to the data protection officer
  • Notification of new/changed data processing procedures to the IT security officer
  • Processes for reporting new/changed procedures are documented
  • Data protection-friendly default settings are selected
  • Security measures taken are subject to regular internal monitoring
  • If the aforementioned review is negative, the safety measures are adapted, renewed and implemented on a risk-related basis

b. Order control (ensuring data processing by service provider in accordance with instructions) 
  • Contract design in accordance with legal requirements (Art. 28 GDPR)
  • Centralised recording of existing service providers (standardised contract management)
  • Regular checks on the Processor after the start of the contract (during the term of the contract)
  • Review of the data security concept at the Processor
  • Inspection of existing IT security certificates of the Processors

Appendix 3


The Controller has authorized the use of the following sub-Processors:

1.                            Name: Vimcar GmbH
Warschauer Str. 57, 10243 Berlin, Germany
                               Third Country:

                          - Provision and development of the SaaS Vimcar Logbook and Vimcar Fleet Geo
                          - customer support
                          - freight and package distribution

2.                           Name:
Avrios International AG
Weststrasse 50, 8003 Zurich, Switzerland
                               Third Country:
  Adequacy decision of the EU Commission

                          - Provision of the SaaS Avrios Fleet Management
                          - Customer support