|
Agreement on Interterritorial Data Protection
by and between
A. Service Provider - hereinafter referred to as "SP"
-
B. Data Protection Company,USA - hereinafter referred to as "
DP" -
C. Client Company - hereinafter referred to as "CC"
-
- CC has unrestricted authority to engage in banking transactions.
CC has entrusted SP with the operation and management of the Credit
Card business, including the accounting and data processing, on
the basis of the terms of an Service Agreement dated XX.YY.ZZ,
according to which SP performs for CC all services pertaining
to such Credit Card business. Concurrent with their application
for a Credit Card, the cardholders agree to the transfer of their
personal data to SP and to those companies entrusted by SP with
such data processing
- Due to reasons of efficiency, service and centralization, SP
have entrustred DP with the processing of the Credit Card business
as of XX.YY.ZZ. In light of such considerations, the SP - as principals
- and DP - as independent contractors - concluded the DP Service
Agreement, to which CC has expressly consented.
- The performance of the DP Service Agreement requires SP to
transfer the personal data of the cardholders to DP and further
requires DP to process and use these data.
In order to protect the cardholders' rights with respect to both
the data protection law, as well as the banking secrecy, and in
order to comply with the banking supervisory and data protection
requirements,
THE CONTRACTUAL PARTIES AGREE AND COVENANT AS FOLLOWS:
§ 1 Basic Principles
The parties hereto undertake to safeguard the cardholders' right
to protection against unauthorized capture, storage and use of
their personal data and their right to informational self-determination.
The scope of such protection shall be governed by the standards
as laid down in the German Federal Data Protection Law (Bundesdatenschutzgesetz,
abbreviated to "BDSG"). The parties hereto additionally
agree to comply with the banking secrecy regulations.
|
|
>!-- Randbereich. -->
|
§ 2 Instructions of the SP
- DP shall process the data provided by the SP solely in accordance
with the SP's instructions and rules, and the provisions contained
in this Agreement. DP undertakes to process and use the data only
for the purpose for which the data have been provided by SP to
DP, said purposes including those as described in the DP Service
Agreement. The use of such data for purposes other than described
above requires the SP's express written consent.
- At any time, SP may make inquiries to DP about the personal
data transferred by SP and stored at DP, and SP may require DP
to perform corrections, deletions or blockings of such personal
data transferred by SP to DP.
§ 3 Inspection Rights of the SP
At regular intervals, an (joint) agent appointed by SP shall verify
as to whether DP complies with the terms and conditions of this
Agreement, and in particular with the data protection law as well
as the banking secrecy regulations. DP shall grant SP's agent
supervised unimpeded access to the extent necessary to accomplish
the inspection and review of all data processing facilities, data
files and other documentation needed for processing and utilizing
the personal data transferred by the SP in a fashion which is
consistent with the DP Operational Policies. DP shall provide
the agent with all such information as deemed necessary to perform
this inspection function.
§ 4 Use of Subcontractors, Transmission of Data to Third
Parties
- DP may not appoint non-affiliated third parties, in particular
subcontractors, to perform and fullfill DP's commitments and obligations
under this Agreement.
- For marketing purposes, the transfer of personal data to third
parties provided by the SP is prohibited, except in those cases,
where such personal data is transferred to affiliated companies
enganged in the banking business in order to market financial
services, the transfer of such data beyond the aforementioned
scope to third parties, shall require SP's express approval. Such
approval is limited to the scope of the cardholders' consent as
obtained on the application form.
§ 5 Data Protection
DP and the SP undertake to Institute and maintain the following
data protection measures:
Access Control of Persons
DP shall implement suitable measures in order to prevent unauthorized
persons from gaining access to the data processing equipment where
the data transferred by SP are processed.
This shall be accomplished by:
a. Establishing security areas,
b. Protection and restriction of access paths;
c. Securing the decentralized data processing equipment and personal
computers;
d. Establishing access authorizations for employees and third
parties, including the respective documentation;
e. Identification of the persons having access authority;
f. Regulations on key-codes;
g. Restriction on keys;
h. Code card passes;
i. Visitors books;
j. Time recording equipment;
k. Security alarm system or other appropriate security measures.
Data Media Control
DP undertakes to implement suitable measures to prevent the unauthorized
reading, copying alteration or removal of the data media used
by DP and containing, personal data of the cardholders.
This shall be accomplished by:
a. Designating the areas in which data media may/must be located;
b. Designating, the persons in such areas who are authorized to
remove data media;
c. Controlling the removal of data media;
d. Securing the areas in which data media are located;
e. Release of data media to only authorized persons;
f. Control of files, controlled and documented destruction of
data media;
g. Polices controlling the production of back-up copies.
Data Memory Control
DP undertakes to implement suitable measures to prevent unauthorized
data input into memory and the unauthorized reading, alteration
or deletion of the stored data on cardholders.
This shall be accomplished by:
a. An authorization policy for the input of data into memory,
as well as for the reading, alteration and deletion of stored
data;
b. Authentication of the authorized personnel;
c. Protective measures for the data input into memory, as well
as for the reading, alteration and deletion of stored data,
d. Utilization of user codes (passwords);
e. Use of encryption for critical security files,
f. Specific access rules for procedures, control cards, process
control methods, program cataloging authorization;
g. Guidelines for data file organization;
h. Keeping records of data file use;
i. Separation of production and test environment for libraries
and data files
j. Providing that entries to data processing facilities (the rooms
housing the computer hardware and related equipment) are capable
of being locked,
k. Automatic log-off of user ID's that have not been used for
a substantial period of time.
User Control
DP shall implement suitable measures to prevent its data processing
systems from being used by unauthorized persons by means of data
transmission equipment.
This shall be accomplished by:
a. Identification of the terminal and/or the terminal user to
the DP system,
b. Automatic turn-off of the user ID when several erroneous passwords
are entered, log file of events, (monitoring of break-in-attempts);
c. Issuing and safeguarding of identification codes,
d. Dedication of individual terminals and/or terminal users, identification
characteristics exclusive to specific functions;
e. Evaluation of records.
Personnel Control
Upon request, DP shall provide SP with a list of DP employees
entrusted with processing the personal data transferred by SP,
together with a description of their access rights.
Access Control to Data
DP commits that the persons entitled to use DP's data processing
system are only able to access the data within the scope and to
the extent covered by their respective access permission (authorization).
This shall be accomplished by:
a. Allocation of individual terminals and /or terminal user, and
identification characteristics exclusive to specific functions;
b. Functional and/or time-restricted use of terminals and/or terminal
users, and identification characteristics;
c. Persons with function authorization codes (direct access, batch
processing) access to work areas;
d. Electronical verification of authorization;
e. Evaluation of records.
Transmission Control
DP shall be obligated to enable the verification and tracing of
the locations/destinations to which the cardholders' data are
transferred by utilization of DP's data communication equipment/devices.
This shall be accomplished by:
a. Documentation of the retrieval and transmission programs;
b. Documentation of the remote locations/destinations to which
a transmission is intended, and of the transmission paths (logical
paths).
Input Control
DP shall provide for the retrospective ability to review and determine
the time and the point of the cardholders' data entry into DP's
data processing system.
This shall be accomplished by:
a. Proof established within DP's organization of the input authorization;
b. Electronic recording of entries.
Instructional Control
The cardholders' data transferred by SP to DP may only be processed
in accordance with instructions of SP.
This shall be accomplished by:
a. Binding policies and procedures for DP employees, subject to
SP's prior approval of such procedures and policies,
b. Upon request, access will be granted to those SP's employees
and agents who are responsible for monitoring DP's compliance
with this Agreement (c.f. § 3 hereof.)
Transport Control
DP and SP shall implement suitable measures to prevent the cardholders'
personal data from being read, copied, altered or deleted by unauthorized
parties during the transmission thereof or during the transport
of the data media.
This shall be accomplished by:
a. Encryption of the data for on-line transmission, or transport
by means of data carriers, (tapes and cartridges);
b. Monitoring of the completeness and correctness of the transfer
of data (end-to-end check).
Organisation Control
DP shall maintain its internal organization in a manner that meets
the requirements of this Agreement.
This shall be accomplished by:
a. Internal DP policies and procedures, guidelines, work instructions,
process descriptions, and regulations for programming, testing,
and release, insofar as they relate to data transferred by SP;
b. Formulation of a data security concept whose content has been
reconciled with SP;
c. Industry standard system and program examination
d. Formulation of an emergency plan (back-up contingency plan).
§ 6 Data Protection Supervisor
- DP undertakes to appoint a Data Protection Supervisor and
to notify SP of the appointee(s). DP shall only select an employee
with adequate expertise and reliability necessary to perform such
a duty, and provide SP with appropriate evidence thereof
- The Data Protection Supervisor shall be directly subordinated/accountable
to DP's General Management. He shall not be bound by instructions
which obstruct or hinder the performance of his duty in the field
of data protection. He shall cooperate with SP's agent - as indicated
in § 3 hereof - in monitoring the performance of this Agreement
and adhering to the data protection requirements in conjunction
with the data in question. In the event that DP chooses to change
the person who serves as a Data Protection Supervisor, DP shall
give timely notice to SP of such change. The Data Protection Supervisor
shall be bound by confidentiality obligations.
- The Data Protection Supervisor shall be available as the on-site
contact for SP.
§ 7 Confidentiality Obligation
DP shall impose a confidentiality obligation upon those employees
entrusted with processing the personal data transferred by SP.
DP shall furthermore obligate its employees to adhere to the banking
and data secrecy regulations and document such employees' obligation
in writing. Upon request, DP shall provide SP with satisfactory
evidence of compliance with this provision.
§ 8 Rights of Concerned Persons
- At any time, cardholders whose data are transferred by CC to
SP, and thereafter further transferred by SP to DP, shall be entitled
to make inquiries to DP (who are required to respond) as to:
- the stored personal data, including the origin and the recipient
of the data,
- the purpose of storage,
- the persons and locations/destinations to which such data
are transferred on a regular basis.
The requested Information shall generally be provided in writing.
- SP shall honour the concerned person's request to correct his
personal data at any time, provided that the stored data are incorrect.
The same shall apply to data stored at DP.
- The concerned person may claim from SP the deletion or blocking
of any data stored at the SP or DP, in the event that
- such storage is prohibited by law,
- the data in question relate to Information about health, criminal
actions, violations of the public order, or religious or political
opinions, and its truth/correctness cannot be proved by SP,
- such data are processed to serve SP's own purposes, and such
data are no longer necessary to serve the purpose of the data
storage under the agreement with the respective cardholders.
Notwithstanding the foregoing, the parties hereto submit to the
provisions of § 35 of the German Federal Data Protection
Law (BDSG), and agree to be familiar with such provisions.
- The concerned person may demand that SP block his or her personal
data, if he or she contests the correct nature thereof and if
it is not possible to determine whether such data is correct or
incorrect. This shall also apply to such data stored by DP.
- If CC, SP or DP should violate the data protection or banking
secrecy regulations, the person concerned shall be entitled to
claim damages caused and incurred thereby as provided in the German
Federal Data Protection Law (BDSG). CC's and SP's liability shall
moreover extend to those claims arising from breach of this Agreement
and asserted against DP and/or its employees in performance of
this Agreement.
- DP acknowledges the obligation assumed by CC and SP towards
the concerned person, and undertakes to comply with all SP's instructions
concerning such person. The concerned person may also directly
assert claims against DP and file an action at DP's applicable
place of jurisdiction.
§ 9 Notification to the Concerned Person
SP undertake to appropriately notify the concerned cardholder
of the transfer of their data to DP.
§ 10 Data Protection Supervision
- According to the German Federal Data Protection Law (BDSG),
SP and CC are subject to public control exercised by the respective
responsible supervisory authorities.
-
Upon request of CC or either of the SP, DP shall provide the
respective supervisory authorities with the desired Information
and grant them the opportunity of auditing to the same extent
as they would be entitled to conduct audits at SP and CC; this
includes the entitlement to inspections at DP's premises by the
supervisory authorities or their nominated agents, unless barred
by binding instructions of the appropriate U.S. authorities.
§ 11 Banking Supervision
- Any vouchers, commercial books of accounting, and work instructions
needed for the comprehension of such documents, as well as other
organizational documents shall physically remain at SP, unless
electronically archived by scanning, devices in a legally permissible
fashion.
- SP and DP undertake to adhere to the principles of proper accounting
practice applicable in Germany for computer-aided processes and
the auditing thereof, in particular FAMA 1/1987.
- SP undertake to submit a data processing concept and a data
security concept to the German Federal Authority for the Supervision
of Banks (Bundesaufsichtsamt für das Kreditwesen) prior to
commencing transfer of data to DP.
- The remote processing of the data shall be subject to the internal
audit department of CC and SP. DP agrees to cooperate with the
internal auditors of CC and SP, who shall have the right to inspect
the files of DP's internal auditors, insofar as they relate to
the data files transferred by SP to DP. The internal auditors
of SP and of CC shall conduct audits of DP as required by due
diligence.
- In a joint declaration to the Federal Banking Supervisory Authority;
CC, SP and DP shall undertake to allow the inclusion of DP in
audits in accordance with the provisions of § 44 of the Banking
Law (Kreditwesengesetz abbreviated to KWG) at any time and not
to impede or obstruct such audits, provided that legal requirements
and/or instructions of U.S. authorities bind DP to the contrary.
- DP shall request the US banking supervisory authorities' confirmation
in writing to the effect that no objections will be raised against
the intended remote data processing concept. In the event that
DP cannot procure such, written confirmation upon SP's request,
SP and CC may withdraw from this Agreement and the underlying
DP Service Agreement.
§ 12 Indemnification Claim
- DP shall indemnify SP within the scope of their internal and
contractual relationship from any claims of damages asserted by
cardholders, and resulting from DP's incompliance with the terms
and conditions of this Agreement.
- SP shall indemnify DP within the scope of their internal and
contractual relationship from any claims of damages asserted by
cardholders, and resulting from SP's incompliance with the terms
and conditions of this Agreement.
§ 13 Term of the Agreement
- This Agreement is effective as of July 1st, 1995, until terminated.
It may be terminated by any party herto at the end of each calendar
year upon 12 months notice prior to the expiration date, subject
to each party's right of termination of the Agreement for material,
unremedied breach hereof The termination of this Agreement by
any one of the parties shall result in the termination of the
entire Agreement with respect to the other parties.
- DP commits to return and delete all personal data stored at
the time of termination hereof in accordance with the SP's instructions.
§ 14 Confidentiality
The parties hereto commit to treat strictly confidential any trade,
business and operating secrets or other sensitive information
of the other parties involved. This obligation shall survive termination
of this Agreement.
§ 15 General Provisions
- This Agreement sets forth the entire understanding between
the parties hereto in conjunction with the subject matter as laid
down herein and none of the parties hereto has entered into this
Agreement in reliance upon any representation, warranty or undertaking
of any other party which is not contained in this Agreement or
incorporated by reference herein. Any subsequent amendments to
this Agreement shall be in writing duly signed by authorized representatives
of the parties hereto.
- If one or more provisions of this Agreement becomes invalid,
or the Agreement is proven to be incomplete, the validity and
legality of the remaining provisions hereof shall not be affected
or impaired thereby. The parties hereto agree to substitute the
invalid part of this Agreement by such a legally valid provision
which constitutes the closest representation of the parties' intention
and the economical purpose of the invalid term, and the parties
hereto further agree to be bound by such a valid term. An incompleteness
of this Agreement shall be bridged in a similar fashion.
- The Parties hereto submit to the jurisdiction and venue of
the courts of Frankfurt/M.
- This Agreement shall be governed by, interpreted and construed
in accordance with German law.
| SP | DP | CC |
By: | ___________ | ___________ | ___________ |
Its: | ___________ | ___________ | ___________ |
|