Personal Data Processor Agreement

This Personal Data Processor Agreement (hereinafter "the Agreement") has been entered into on the date hereof between AuPair.com – MultiKultur e.K. (hereinafter "AuPair.com") and you as an AuPair.com partner agency. The AuPair.com partner agency is referred to in the Agreement as “an agency” or “the agency”.

1. Background

1.1 The agency receives AuPair.com users’ personal and contact data when the user submits the contact form placed on the agency’s profile. The users can also send personal and contact data to the agency through the AuPair.com mailing system. Thus, contact and personal data is forwarded to the agency in order to allow the agency process the user’s request.

The contact and personal data includes but is not limited to name, address, email address, telephone number.

1.2 The data protection legislation imposes the requirement that an agreement in writing must exist between the person who determines the purpose and means of the processing of personal data ("Personal Data Controller") and the person who processes personal data on behalf of the Personal Data Controller ("Personal Data Processor"). Within the framework of the collaboration, AuPair.com will be regarded as the Personal Data Controller and the agency will be regarded as the Personal Data Processor.

1.3 The agency and AuPair.com agree that "personal data", "the data subject" and "processing" will have the meanings specified in the General Data Protection Regulation (GDPR).

2. Processing of personal data

2.1 The agency may not process personal data in any other way than necessary for the performance of the collaboration and only in accordance with data protection legislation.

2.2 The agency is obliged to adopt the necessary technical and organisational measures required to protect the personal data that is being processed. The measures must bring about a level of security that is appropriate in view of

- existing technical resources,
- the cost of implementing the measures,
- the particular risks associated with processing personal data, and
- the degree of sensitivity of the personal data being processed.

2.3 The agency must maintain a satisfactory level of security for the personal data. The personal data must be protected by the agency against destruction, alteration, unauthorised dissemination or unauthorised access. The personal data must also be protected against every other kind of unauthorised processing.

2.4 When the agency’s processing of personal data has been completed, the personal data must be deleted. The agency must issue, at AuPair.com's request, a written certificate on what action was taken with the personal data when the processing has been completed.

3. Engagement of third parties

The Personal Data Processor may not engage any other party to carry out tasks included in this Agreement.

4. Right to control, auditing and assistance

4.1 In accordance with data protection legislation, AuPair.com is entitled to carry out checks to ensure that the processing of personal data carried out by the agency complies with the provisions. AuPair.com is entitled to take necessary action to obtain assurances that the agency is able to implement the security measures to be adopted and to obtain assurances that the agency actually adopts these measures. The Personal Data Processor must thus have a right to supervise, verify and review the collaboration under this Agreement by means of a range of control functions, e.g. through internal and external auditors and through enabling auditors and supervisory authorities to carry out site visits. The agency undertakes to ensure that AuPair.com obtains any assistance that may reasonably be required to allow AuPair.com to easily obtain these assurances.

4.2 The Personal Data Processor is obliged to assist the Personal Data Controller in the event that a data subject asks to be permitted access to the information recorded on him or her or asks for that information to be corrected.

5. Confidentiality

5.1 The agency undertakes not to disclose to third parties any confidential information that the agency received from AuPair.com under the Agreement. Nor may the agency make use of that confidential information to a greater extent than is necessary to enable it to fulfil its undertakings under the Agreement.

"Confidential information" means all information, whether technical, commercial or of any other kind in any verbal, written or electronic form, that the agency receives from AuPair.com, as well as copies of that information issued under circumstances that indicate that it is to be regarded as confidential.

5.2 Confidential information does not refer to information that

(a) was available to the public at the time of disclosure;

(b) was legally available to the agency at the time of disclosure and was not, either directly or indirectly, disclosed by AuPair.com, provided the information is not confidential for other reasons.

5.3 The agency is required to ensure that employees, consultants and other workers engaged by the agency to carry out tasks within the framework of the collaboration are bound by confidentiality.

5.4 Confidentiality as described in Section 5 also applies in the event that AuPair.com commissions a third party to perform their duties. Confidentiality in accordance with Section 5 applies without any time limit.

6. Damages

6.1 The agency is liable for any damage and violation of personal privacy that processing in breach of the provisions set out in section 2 above has caused a data subject of AuPair.com or for which AuPair.com must compensate a data subject. The agency's liability for damages is limited to the amount of the compensation that AuPair.com was ordered to pay the data subject or to the amount determined through conciliation. The agency's liability for damages is further limited to cases where the damage is due to the fact that the agency processed personal data for which AuPair.com is the Personal Data Controller.

6.2 The agency is liable for damage caused to a third party due to breach by the agency of the obligation regarding professional secrecy contemplated in section 4 above. The agency's liability for damages is limited to the amount of the compensation that AuPair.com was ordered to pay a third party or to the amount determined through conciliation.

7. Settlement of disputes

7.1 For disputes concerning the Agreement, its origin, its interpretation and/or its application or other legal relationship associated with the Agreement, German law will apply and the dispute will be settled before a general court.

8. Term of the agreement and amendments

8.1 This agreement applies on a continuous basis with a mutual notice period of 3 months.

8.2 Amendments or supplements to the Agreement must be issued in electronic writing and requires the approval of both parties.

8.3 Both the agency and AuPair.com may not assign its rights or obligations under the Agreement in whole or in part without the other party's consent in electronic writing.

8.4 This Agreement applies from the date when it is electronically agreed to by the agency. What was agreed between the parties in the Agreement will continue to apply between the parties even after the collaboration agreement has ceased to apply.

Annexe 1

Instructions for AuPair.com Partner's processing of personal data on behalf of AuPair.com – MultiKultur e.K.

The agency must comply with the instructions set out below when processing personal data:

The agency must comply with the General Data Protection Regulation guidelines decreed by the European Union.
Employees, consultants and other assistants at the agency must only have access to personal data that they require in order to carry out their duties for the performance of agreements entered into with AuPair.com.
The agency will be liable for ensuring that no unauthorised use or access to personal data takes place in their systems.
The agency should have an updated and implemented security policy that determines how personal data must be processed, whom the personnel must consult in the event of a breach or other incident, which employees are authorised to access which type of data, etc. That policy should be designed after a risk analysis has been carried out to survey the threats existing against the personal data and what consequences any threats carried into effect would have for the integrity of the personal data. The security policy should also address backup procedures, etc.
If portable computers must be used in order to comply with agreements entered into or to carry out agreed work, their hard drives must be encrypted to prevent unauthorised persons gaining access to the information if the workstation is stolen. Furthermore, information existing on the portable workstation must be synchronised with the stationary workstations so that the loss of a portable workstation does not mean a loss of data.
It must be possible to log and trace processing of personal data.
The agency must have an updated anti-virus program. Updates must be installed immediately and the anti-virus program must be installed on all workstations, stationary and portable, and servers.
The agency must correct, block, delete, change or screen personal data according to AuPair.com's instructions.
The agency may not store the personal data longer than necessary according to the purpose of the processing. This means, among other things, that the agency must delete all information on customers that AuPair.com has sent to the agency. Nothing in the foregoing provisions prevents the agency from processing information on its own customers independently and on its own behalf. Nevertheless, information that the customer is a customer of AuPair.com must be deleted.