Independent of your location of residence, a new section C. is added to the provisions of the End User License Agreement.
In order to fulfill the requirements of the applicable data protection laws, concerning the functionalities of the Software as well as the Client Devices the parties, until further notice, agree on the following regulations concerning commissioned (data) processing which supplement the EULA. The details of the data processing are described in Annex 1.
- RIGHTS AND OBLIGATIONS OF vCloudPoint
2.1 Compliance with Applicable Laws. The obligations of vCloudPoint shall arise from this Agreement and the applicable laws. The applicable laws shall particularly include the Personal Information Protection Law of the People’s Republic of China (PIPLPRC) and the General Data Protection Regulation (“GDPR”).
2.2 Processing on Instructions Only. vCloudPoint shall only process personal data within the scope of this Section C and on documented instructions from you mutually agreed by the parties in the EULA and the Performance Specification. Customer may issue additional instructions to the extent required in order to comply with the applicable data protection laws, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by the law to which vCloudPoint is subject; in such a case, vCloudPoint shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. vCloudPoint shall ensure that this also applies for any persons granted access to personal data.
2.3 Obligation of Confidentiality. vCloudPoint shall ensure and provide verification upon request that those persons authorized to process personal data have committed themselves to confidentiality, unless they are subject to a statutory obligation of confidentiality.
2.4 Security Measures Pursuant to Art. 32 GDPR
2.4.1 Principle. vCloudPoint declares that it will implement the necessary measures for the security of processing according to Art. 32 of the GDPR (collectively, the “Security Measures”).
2.4.2 Scope. For the concrete commissioned processing, a level of security appropriate to the risk for the rights and freedoms of the natural persons who are the subject of the processing shall be guaranteed. In this regard, the protection objectives of Art. 32(1) of the GDPR, especially the confidentiality, integrity, availability and resilience of the processing systems and services in terms of the nature, scope, context and purposes of the processing shall be taken into account in such a way that any risks shall be mitigated permanently through appropriate security measures.
2.4.3 Data Protection Concept. The data protection concept describes in detail the selection of security measures. Please contact us to receive a copy of our security measures.
2.4.4 Procedure for Reviewing. The data protection concept describes the procedures for regularly reviewing, assessing and evaluating the effectiveness of the security measures. Please contact us to receive a copy of our security measures.
2.4.5 Changes. The Security Measures are subject to technical progress and further developments. vCloudPoint shall be permitted in principle to implement alternative adequate measures. The level of security may thereby not fall below the level existing prior to this Agreement on the basis of the Security Measures already implemented or to be implemented.
2.5 Engagement of Additional Processors. The obligations of vCloudPoint when engaging additional processors (“Sub-contractors”) are regulated in clause 3.
2.6 Assistance with Safeguarding the Rights of Data Subjects. vCloudPoint shall assist you by appropriate technical and organizational measures, insofar as this is possible, in fulfilling its obligations to respond to rights to rectification, deletion or blocking according to the PIPLPRC or requests for exercising the data subject’s rights laid down in Chapter III of the GDPR. If a data subject should directly contact vCloudPoint for the purposes of exercising the data subject’s rights, vCloudPoint shall forward this request to you without delay. All costs incurred insofar shall be born by you and shall be refunded at an hourly rate of 70 Euro to the extent permissible under applicable data protection law.
2.7 Assistance with Ensuring Compliance with Art. 32 – 36 GDPR. Taking into account the nature of processing and the information available to vCloudPoint, vCloudPoint shall assist you in ensuring compliance with the obligations pursuant to Art. 32 – 36 GDPR, in particular with respect to the security of the processing, data protection impact assessments and consultation of supervisory authorities. All costs incurred insofar shall be born by you and shall be refunded at an hourly rate of 70 Euro to the extent permissible under applicable data protection law. vCloudPoint shall provide you with the information required for the preparation of the list of processing operations.
2.8 Deletion and Return at the End of Processing. At your choice, vCloudPoint shall delete or return the personal data that is the object of the commissioned data processing, unless the law to which vCloudPoint is subject re-quires storage of the personal data.
2.9 Information to Demonstrate Compliance with Data Protection Obligations and Inspections. vCloudPoint shall make available to you all information necessary to demonstrate compliance with the obligations resulting from clauses 2 and 3. In the event of any failure to provide such information or audit reports, vCloudPoint will regularly, at least every 18 months, make available certificates of regular audits by a recognized auditor. vCloudPoint allows for and contributes to additional audits, including inspections, conducted by you or another auditor mandated by the Customer; the costs for such additional audits shall be born by you except in case vCloudPoint’s certificate gives substantial rise to concerns of non-compliance.
2.10 Obligation to Notify Doubts About Instructions. vCloudPoint shall immediately inform you if, in its opinion, the execution of an instruction could infringe any applicable data protection laws.
2.11 Obligation to Notify Breaches. If vCloudPoint detects any breaches of applicable data protection laws, this Agreement, instructions of you relating to the data processing, or instructions of the data protection officer, vCloudPoint shall notify you without undue delay.
2.12 Designation of a Data Protection Officer. vCloudPoint has designated a data protection officer.
2.13 Disclosure or Publication of Appropriate or Suitable Safeguards for Transfers to a Third Country. vCloudPoint agrees to disclose or publish information on the appropriate or suitable safeguards that have been used to make a transfer to a third country to the extent that this is required under Art. 13(1) f) or 14(1) f) of the GDPR in order to inform the data subject.
3.1 Subcontractors Engaged Upon Conclusion of the Agreement. vCloudPoint has engaged a number of Subcontractors, and a list is available upon request. You shall treat the list of Subcontractors as a confidential business secret and shall not disclose it to third parties.
3.2 Additional Subcontractors. If vCloudPoint would like to engage additional or different Subcontractors to render the contractually agreed services, such Subcontractors shall be select-ed using the due care required by law. vCloudPoint shall give the data exporter prior notice of the appointment of any new Subcontractors 15 days in advance. You may object against the instruction of the new Sub-contractors on reasonable grounds. In case an understanding cannot be reached, vCloudPoint is entitled to terminate the EULA with 2 weeks notice.
3.3 Obligations of Subcontractors.
3.3.1 Structuring Contracts According to the Requirements of the Agreement. vCloudPoint shall structure the contracts with Subcontractors in such a way that they comply with the requirements of the applicable data protection laws and this Agreement.
3.3.2 Engagement of Additional or Different Subcontractors. vCloudPoint shall obligate any Subcontractors to commit in particular to refraining from engaging any additional or other Subcon-tractors to process personal data without complying with sec.3.2.
3.3.3 Checking Safeguards of Subcontractors. vCloudPoint will examine whether sufficient safeguards will be provided to implement appropriate technical and organizational measures in such a way that the applicable data protection laws and this Agreement are complied with.
Annex 1: Details of the Data Processing According to Section C.
- The object of the data processing arises from the EULA.
- The duration of the data processing shall depend on the term of the EULA.
- Nature and Purpose of the Processing. vCloudPointshall process all personal data solely for the purposes of enabling the use of the products and services provided under the EULA and according to documented instructions on behalf of the Customer.
- Type of Personal Data. The following types of personal data shall be processed:
4.1 Your Information.
4.1.1 Your Name.
4.1.2 Contact information such as company name, job title, email, telephone and postal address.
4.1.3 Payment token – vCloudPoint uses an external payment service provider and payments made in relation to an Account are identified through a token. vCloudPoint therefore does not collect or process personal data associated with bank or payment card de-tails.
4.2 User Information. Personally identifiable information collected and processed to enable product operation functionality depends on your application as summarized in Table 1.
4.3 Computer Information. Computer information including error logs & connection reports, unique identifiers of device, system and Software collected and processed to help fixing technical issues depends on your application as summarized in Table 1.
Table 1 – Personal Information processed in Products
|Profile Picture (optional)||No||No||No||Yes|
|Logs & Reports||No||No||No||Yes|
|System & Software Identifiers||Yes||Yes||Yes||Yes|