>!-- Randbereich. -->
Internationaler Datenschutz
Homepage

Wir über Uns
Berlin
National
Europäische Union
International
Recht
T.O Maßnahmen
Aktuelles
Kontrolle
Materialien
Service
Themen

Agreement on Interterritorial Data Protection

by and between

A. Service Provider - hereinafter referred to as "SP" -

B. Data Protection Company,USA - hereinafter referred to as " DP" -

C. Client Company - hereinafter referred to as "CC" -

  1. CC has unrestricted authority to engage in banking transactions. CC has entrusted SP with the operation and management of the Credit Card business, including the accounting and data processing, on the basis of the terms of an Service Agreement dated XX.YY.ZZ, according to which SP performs for CC all services pertaining to such Credit Card business. Concurrent with their application for a Credit Card, the cardholders agree to the transfer of their personal data to SP and to those companies entrusted by SP with such data processing

  2. Due to reasons of efficiency, service and centralization, SP have entrustred DP with the processing of the Credit Card business as of XX.YY.ZZ. In light of such considerations, the SP - as principals - and DP - as independent contractors - concluded the DP Service Agreement, to which CC has expressly consented.

  3. The performance of the DP Service Agreement requires SP to transfer the personal data of the cardholders to DP and further requires DP to process and use these data.

    In order to protect the cardholders' rights with respect to both the data protection law, as well as the banking secrecy, and in order to comply with the banking supervisory and data protection requirements,

THE CONTRACTUAL PARTIES AGREE AND COVENANT AS FOLLOWS:

§ 1 Basic Principles

The parties hereto undertake to safeguard the cardholders' right to protection against unauthorized capture, storage and use of their personal data and their right to informational self-determination. The scope of such protection shall be governed by the standards as laid down in the German Federal Data Protection Law (Bundesdatenschutzgesetz, abbreviated to "BDSG"). The parties hereto additionally agree to comply with the banking secrecy regulations.

Seitenanfang

§ 2 Instructions of the SP

  1. DP shall process the data provided by the SP solely in accordance with the SP's instructions and rules, and the provisions contained in this Agreement. DP undertakes to process and use the data only for the purpose for which the data have been provided by SP to DP, said purposes including those as described in the DP Service Agreement. The use of such data for purposes other than described above requires the SP's express written consent.

  2. At any time, SP may make inquiries to DP about the personal data transferred by SP and stored at DP, and SP may require DP to perform corrections, deletions or blockings of such personal data transferred by SP to DP.

§ 3 Inspection Rights of the SP

At regular intervals, an (joint) agent appointed by SP shall verify as to whether DP complies with the terms and conditions of this Agreement, and in particular with the data protection law as well as the banking secrecy regulations. DP shall grant SP's agent supervised unimpeded access to the extent necessary to accomplish the inspection and review of all data processing facilities, data files and other documentation needed for processing and utilizing the personal data transferred by the SP in a fashion which is consistent with the DP Operational Policies. DP shall provide the agent with all such information as deemed necessary to perform this inspection function.

§ 4 Use of Subcontractors, Transmission of Data to Third Parties

  1. DP may not appoint non-affiliated third parties, in particular subcontractors, to perform and fullfill DP's commitments and obligations under this Agreement.

  2. For marketing purposes, the transfer of personal data to third parties provided by the SP is prohibited, except in those cases, where such personal data is transferred to affiliated companies enganged in the banking business in order to market financial services, the transfer of such data beyond the aforementioned scope to third parties, shall require SP's express approval. Such approval is limited to the scope of the cardholders' consent as obtained on the application form.

§ 5 Data Protection

DP and the SP undertake to Institute and maintain the following data protection measures:

  1. Access Control of Persons

    DP shall implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the data transferred by SP are processed.

    This shall be accomplished by:

    a. Establishing security areas,
    b. Protection and restriction of access paths;
    c. Securing the decentralized data processing equipment and personal computers;
    d. Establishing access authorizations for employees and third parties, including the respective documentation;
    e. Identification of the persons having access authority;
    f. Regulations on key-codes;
    g. Restriction on keys;
    h. Code card passes;
    i. Visitors books;
    j. Time recording equipment;
    k. Security alarm system or other appropriate security measures.

  2. Data Media Control

    DP undertakes to implement suitable measures to prevent the unauthorized reading, copying alteration or removal of the data media used by DP and containing, personal data of the cardholders.

    This shall be accomplished by:

    a. Designating the areas in which data media may/must be located;
    b. Designating, the persons in such areas who are authorized to remove data media;
    c. Controlling the removal of data media;
    d. Securing the areas in which data media are located;
    e. Release of data media to only authorized persons;
    f. Control of files, controlled and documented destruction of data media;
    g. Polices controlling the production of back-up copies.

  3. Data Memory Control

    DP undertakes to implement suitable measures to prevent unauthorized data input into memory and the unauthorized reading, alteration or deletion of the stored data on cardholders.

    This shall be accomplished by:

    a. An authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
    b. Authentication of the authorized personnel;
    c. Protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data,
    d. Utilization of user codes (passwords);
    e. Use of encryption for critical security files,
    f. Specific access rules for procedures, control cards, process control methods, program cataloging authorization;
    g. Guidelines for data file organization;
    h. Keeping records of data file use;
    i. Separation of production and test environment for libraries and data files
    j. Providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked,
    k. Automatic log-off of user ID's that have not been used for a substantial period of time.

  4. User Control

    DP shall implement suitable measures to prevent its data processing systems from being used by unauthorized persons by means of data transmission equipment.

    This shall be accomplished by:

    a. Identification of the terminal and/or the terminal user to the DP system,
    b. Automatic turn-off of the user ID when several erroneous passwords are entered, log file of events, (monitoring of break-in-attempts);
    c. Issuing and safeguarding of identification codes,
    d. Dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions;
    e. Evaluation of records.

  5. Personnel Control

    Upon request, DP shall provide SP with a list of DP employees entrusted with processing the personal data transferred by SP, together with a description of their access rights.

  6. Access Control to Data

    DP commits that the persons entitled to use DP's data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization).

    This shall be accomplished by:

    a. Allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
    b. Functional and/or time-restricted use of terminals and/or terminal users, and identification characteristics;
    c. Persons with function authorization codes (direct access, batch processing) access to work areas;
    d. Electronical verification of authorization;
    e. Evaluation of records.

  7. Transmission Control

    DP shall be obligated to enable the verification and tracing of the locations/destinations to which the cardholders' data are transferred by utilization of DP's data communication equipment/devices.

    This shall be accomplished by:

    a. Documentation of the retrieval and transmission programs;
    b. Documentation of the remote locations/destinations to which a transmission is intended, and of the transmission paths (logical paths).

  8. Input Control

    DP shall provide for the retrospective ability to review and determine the time and the point of the cardholders' data entry into DP's data processing system.

    This shall be accomplished by:

    a. Proof established within DP's organization of the input authorization;
    b. Electronic recording of entries.

  9. Instructional Control

    The cardholders' data transferred by SP to DP may only be processed in accordance with instructions of SP.

    This shall be accomplished by:

    a. Binding policies and procedures for DP employees, subject to SP's prior approval of such procedures and policies,
    b. Upon request, access will be granted to those SP's employees and agents who are responsible for monitoring DP's compliance with this Agreement (c.f. § 3 hereof.)

  10. Transport Control

    DP and SP shall implement suitable measures to prevent the cardholders' personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.

    This shall be accomplished by:

    a. Encryption of the data for on-line transmission, or transport by means of data carriers, (tapes and cartridges);
    b. Monitoring of the completeness and correctness of the transfer of data (end-to-end check).

  11. Organisation Control

    DP shall maintain its internal organization in a manner that meets the requirements of this Agreement.

    This shall be accomplished by:

    a. Internal DP policies and procedures, guidelines, work instructions, process descriptions, and regulations for programming, testing, and release, insofar as they relate to data transferred by SP;
    b. Formulation of a data security concept whose content has been reconciled with SP;
    c. Industry standard system and program examination
    d. Formulation of an emergency plan (back-up contingency plan).

§ 6 Data Protection Supervisor

  1. DP undertakes to appoint a Data Protection Supervisor and to notify SP of the appointee(s). DP shall only select an employee with adequate expertise and reliability necessary to perform such a duty, and provide SP with appropriate evidence thereof

  2. The Data Protection Supervisor shall be directly subordinated/accountable to DP's General Management. He shall not be bound by instructions which obstruct or hinder the performance of his duty in the field of data protection. He shall cooperate with SP's agent - as indicated in § 3 hereof - in monitoring the performance of this Agreement and adhering to the data protection requirements in conjunction with the data in question. In the event that DP chooses to change the person who serves as a Data Protection Supervisor, DP shall give timely notice to SP of such change. The Data Protection Supervisor shall be bound by confidentiality obligations.

  3. The Data Protection Supervisor shall be available as the on-site contact for SP.

§ 7 Confidentiality Obligation

DP shall impose a confidentiality obligation upon those employees entrusted with processing the personal data transferred by SP. DP shall furthermore obligate its employees to adhere to the banking and data secrecy regulations and document such employees' obligation in writing. Upon request, DP shall provide SP with satisfactory evidence of compliance with this provision.

§ 8 Rights of Concerned Persons

  1. At any time, cardholders whose data are transferred by CC to SP, and thereafter further transferred by SP to DP, shall be entitled to make inquiries to DP (who are required to respond) as to:

    • the stored personal data, including the origin and the recipient of the data,

    • the purpose of storage,

    • the persons and locations/destinations to which such data are transferred on a regular basis.

    The requested Information shall generally be provided in writing.

  2. SP shall honour the concerned person's request to correct his personal data at any time, provided that the stored data are incorrect. The same shall apply to data stored at DP.

  3. The concerned person may claim from SP the deletion or blocking of any data stored at the SP or DP, in the event that

    • such storage is prohibited by law,

    • the data in question relate to Information about health, criminal actions, violations of the public order, or religious or political opinions, and its truth/correctness cannot be proved by SP,

    • such data are processed to serve SP's own purposes, and such data are no longer necessary to serve the purpose of the data storage under the agreement with the respective cardholders.

    Notwithstanding the foregoing, the parties hereto submit to the provisions of § 35 of the German Federal Data Protection Law (BDSG), and agree to be familiar with such provisions.

  4. The concerned person may demand that SP block his or her personal data, if he or she contests the correct nature thereof and if it is not possible to determine whether such data is correct or incorrect. This shall also apply to such data stored by DP.

  5. If CC, SP or DP should violate the data protection or banking secrecy regulations, the person concerned shall be entitled to claim damages caused and incurred thereby as provided in the German Federal Data Protection Law (BDSG). CC's and SP's liability shall moreover extend to those claims arising from breach of this Agreement and asserted against DP and/or its employees in performance of this Agreement.

  6. DP acknowledges the obligation assumed by CC and SP towards the concerned person, and undertakes to comply with all SP's instructions concerning such person. The concerned person may also directly assert claims against DP and file an action at DP's applicable place of jurisdiction.

§ 9 Notification to the Concerned Person

SP undertake to appropriately notify the concerned cardholder of the transfer of their data to DP.

§ 10 Data Protection Supervision

  1. According to the German Federal Data Protection Law (BDSG), SP and CC are subject to public control exercised by the respective responsible supervisory authorities.

  2. Upon request of CC or either of the SP, DP shall provide the respective supervisory authorities with the desired Information and grant them the opportunity of auditing to the same extent as they would be entitled to conduct audits at SP and CC; this includes the entitlement to inspections at DP's premises by the supervisory authorities or their nominated agents, unless barred by binding instructions of the appropriate U.S. authorities.

§ 11 Banking Supervision

  1. Any vouchers, commercial books of accounting, and work instructions needed for the comprehension of such documents, as well as other organizational documents shall physically remain at SP, unless electronically archived by scanning, devices in a legally permissible fashion.

  2. SP and DP undertake to adhere to the principles of proper accounting practice applicable in Germany for computer-aided processes and the auditing thereof, in particular FAMA 1/1987.

  3. SP undertake to submit a data processing concept and a data security concept to the German Federal Authority for the Supervision of Banks (Bundesaufsichtsamt für das Kreditwesen) prior to commencing transfer of data to DP.

  4. The remote processing of the data shall be subject to the internal audit department of CC and SP. DP agrees to cooperate with the internal auditors of CC and SP, who shall have the right to inspect the files of DP's internal auditors, insofar as they relate to the data files transferred by SP to DP. The internal auditors of SP and of CC shall conduct audits of DP as required by due diligence.

  5. In a joint declaration to the Federal Banking Supervisory Authority; CC, SP and DP shall undertake to allow the inclusion of DP in audits in accordance with the provisions of § 44 of the Banking Law (Kreditwesengesetz abbreviated to KWG) at any time and not to impede or obstruct such audits, provided that legal requirements and/or instructions of U.S. authorities bind DP to the contrary.

  6. DP shall request the US banking supervisory authorities' confirmation in writing to the effect that no objections will be raised against the intended remote data processing concept. In the event that DP cannot procure such, written confirmation upon SP's request, SP and CC may withdraw from this Agreement and the underlying DP Service Agreement.

§ 12 Indemnification Claim

  1. DP shall indemnify SP within the scope of their internal and contractual relationship from any claims of damages asserted by cardholders, and resulting from DP's incompliance with the terms and conditions of this Agreement.

  2. SP shall indemnify DP within the scope of their internal and contractual relationship from any claims of damages asserted by cardholders, and resulting from SP's incompliance with the terms and conditions of this Agreement.

§ 13 Term of the Agreement

  1. This Agreement is effective as of July 1st, 1995, until terminated. It may be terminated by any party herto at the end of each calendar year upon 12 months notice prior to the expiration date, subject to each party's right of termination of the Agreement for material, unremedied breach hereof The termination of this Agreement by any one of the parties shall result in the termination of the entire Agreement with respect to the other parties.

  2. DP commits to return and delete all personal data stored at the time of termination hereof in accordance with the SP's instructions.

§ 14 Confidentiality

The parties hereto commit to treat strictly confidential any trade, business and operating secrets or other sensitive information of the other parties involved. This obligation shall survive termination of this Agreement.

§ 15 General Provisions

  1. This Agreement sets forth the entire understanding between the parties hereto in conjunction with the subject matter as laid down herein and none of the parties hereto has entered into this Agreement in reliance upon any representation, warranty or undertaking of any other party which is not contained in this Agreement or incorporated by reference herein. Any subsequent amendments to this Agreement shall be in writing duly signed by authorized representatives of the parties hereto.

  2. If one or more provisions of this Agreement becomes invalid, or the Agreement is proven to be incomplete, the validity and legality of the remaining provisions hereof shall not be affected or impaired thereby. The parties hereto agree to substitute the invalid part of this Agreement by such a legally valid provision which constitutes the closest representation of the parties' intention and the economical purpose of the invalid term, and the parties hereto further agree to be bound by such a valid term. An incompleteness of this Agreement shall be bridged in a similar fashion.

  3. The Parties hereto submit to the jurisdiction and venue of the courts of Frankfurt/M.

  4. This Agreement shall be governed by, interpreted and construed in accordance with German law.

SPDPCC
By:_________________________________
Its: _________________________________

Zuletzt geändert:
am 13.02.97

mail to webmaster