Common use of Security of Clause in Contracts

Security of. processing (1) The Service Provider must protect the personal data of the data subject, in particular, against unauthorized access, alteration, public disclosure, erasure, damage, or destruction. (2) The Service Provider shall protect the personal data processed by him by taking appropriate organizational and technical (information technology) measures against unauthorized access and use. In respect of data security, IT systems processing various personal data may only be operated by the persons with the right of access. The criterion for the right of access shall be considered to be met if its extent is in compliance with the stipulation that the right of access must be provided on a need-to- know basis, i.e. it may only be granted to persons whose job-related tasks include processing. The rights of access and their use shall be revised by the Service Provider on a regular basis. (3) The Service Provider shall act in compliance with the applicable laws and with reasonably due care; accordingly, he shall control, develop, operate, and handle his information technology systems based on the integrated management system in line with standards ISO 22301 and ISO 27001, during which, he shall use high availability hardware and software solutions and he shall regularly revise such properties thereof, and he shall develop, upgrade, or replace them as necessary. The certificates in line with the international industrial standards and the applicable laws obtained by the Service Provider are included in the documents attached as annexes hereto. (4) The Service Provider shall satisfy all applicable PCI DSS requirements in the system in which the Service Provider shall have access to or process (store, use, transfer) the card data of his clients, and he shall ensure the continuous protection of such personal data. (5) The Service Provider undertakes to protect the data traffic of the User Interface created for the Subscriber within the scope of the VCC Live Service with currently available, state-of-the-art encryption. Accordingly, the Service Provider shall ensure encrypted data connection between the server and the Subscriber and act with reasonably due care while operating the servers. (6) Concerning data security, in relation to operating the electronic communication means used during the provision of services, the Service Provider guarantees that the processed data will be available to the authorized persons (availability), the authenticity and authentication of the data will be ensured (authenticity of processing), the data will remain unchanged (data integrity), and the data will be protected against unauthorized access (data confidentiality). (7) The Subscriber shall use his best efforts to protect his personal data, including, in particular, the user name and password(s) required for using the services offered by the Service Provider. a) The Subscriber shall be liable for any event or activity performed by using his user name or password. b) The Service Provider shall not undertake liability of any kind for data used in a manner deviating from that specified herein if this or the damage arising from this is attributable to the deliberate or negligent conduct of the Subscriber, or if the Service Provider has acted in compliance with the provisions hereof. (8) The Service Provider shall notify the supervisory authority of any personal data breach without delay, but not later than within 72 hours after he has become aware thereof, unless the personal data breach is unlikely to pose risk to the rights and freedom of natural persons. In case the Service Provider processes the personal data of the Subscriber as the processor of the Subscriber, he shall notify the Subscriber as processor without unreasonable delay. (9) The Service Provider shall keep records of personal data breaches, indicating the relevant facts, their effects, and the remedial actions taken.