- Leadbacker shall make the Leadbacker application technically available to the client and support it. In this context, Leadbacker is the client's data protection processor pursuant to Art 28 of the General Data Protection Regulation (EU Regulation 2016/679; "GDPR"); the client is the controller within the meaning of Art 4 Z 7 GDPR.
- Within the scope of the commissioned processing, the following categories of personal data of the users of the Leadbacker application are processed:
* First and last name
* E-mail address
* Department and direct supervisor
* Login data
* The IP address of the device used for Leadbacker
* Information about the self-perception and external perception of the events ("data") entered and activated by the user in the form of answers from employees to questions defined by the user
* Optionally provided by the user: Gender, generation, duration of company affiliation
- The duration of the commissioned processing corresponds to the duration of this license agreement. The commissioned processing also ends with the end of the license agreement.
- Leadbacker undertakes to use personal data and processing results as the client's commissioned processor exclusively for the performance of this License Agreement and for the purposes provided for therein (in particular the scope of the Leadbacker application). In addition, client data is collected anonymously by Leadbacker for analysis purposes and used for product improvement purposes. This data processing is not carried out on a personal basis.
- Leadbacker as a processor undertakes to process personal data only on the documented instructions of the controller - also regarding the transfer of personal data to a third country or an international organization - unless it is obliged to do so by Union law or the law of a member state of the EU to which it is subject. In such a case, Leadbacker as processor shall notify the client of such legal requirements prior to the processing, unless the relevant law prohibits such notification due to an important public interest.
- Leadbacker as a processor shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality before commencing the activity or are subject to an appropriate statutory duty of confidentiality. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after the termination of their activity and the departure of Leadbacker. The obligation to maintain confidentiality must also be observed for data of legal entities and partnerships under commercial law.
- Leadbacker as processor declares that it has taken sufficient technical and organizational security measures within the meaning of Art 32 GDPR to ensure a level of protection appropriate to the risk.
- The client as controller hereby gives its general consent that Leadbacker as Processor is entitled to use the services of further processors (hereinafter referred to as "Sub-Processors") to carry out certain Processing Activities of the Order Processing. Leadbacker shall always inform the client of any intended change regarding the use or replacement of sub-processors. The client has the possibility to object within 14 days. If the client does not exercise this right of objection, the sub-processor shall be deemed approved. If Leadbacker uses the services of a sub-processor to carry out certain data processing activities on behalf of the client, Leadbacker shall impose the same data protection obligations on this sub-processor by way of a contract as are set out in this License Agreement.
- Leadbacker as the processor undertakes to support the client as the controller to the extent possible with suitable technical and organizational measures to fulfill its obligation to respond to requests to exercise the rights of the data subject.
- Furthermore, Leadbacker as processor undertakes, considering the type of processing and the information available to it, to support the client as controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (security of processing; notification of personal data breaches to the supervisory authority and to data subjects; data protection impact assessment and consultation with the data protection authority).
- Leadbacker as the processor shall be obliged to delete or return all personal data one month upon completion of the provision of the processing services unless there is an obligation to store the personal data under union law or the applicable law of a Member State of the EU.
- Leadbacker shall provide the client with all necessary information to demonstrate compliance with the obligations set forth in this Section 7 and shall allow for audits - including inspections - to be carried out by the client as the controller or another auditor appointed by the client.
- Leadbacker shall inform the client without delay if it believes that a data transfer violates the GDPR or other applicable data protection regulations.
- Leadbacker shall only be liable to the client for damages caused in connection with data processing if it has not fulfilled its obligations specifically set out in this Section 7 and the relevant data protection legislation (in particular the GDPR).
In the event of any uncertainties, the German version of Leadbacker's GDPR shall apply.