Supplementing Terms for Commissioned Data Processing
(status: 10. May 2021)
- These terms apply to the agreement on the rights and duties of the Customer and TSI, insofar as personal data are gathered, processed or used within the scope of the service performance (pursuant to the GTC and the also applicable documents) by TSI on behalf of the Customer in the definition of Regulation (EU) 2016/679 (GDPR) and the BDSG [German Federal Data Protection Act].
Customer’s responsibility and rights to give instructions
- The Customer, as the data controller responsible for the processing, is responsible for the assessment of the permissibility of the gathering, processing and use of personal data, as well as the protection of the rights of data subjects. The Customer shall ensure that the conditions prescribed by law or authorities are provided and respectively that the requirements are fulfilled such as the obtaining of consent declarations. This also applies to requirements, for example, for the organisation of the commissioned data processing from the circumstance that the Customer is subject to its local data protection law.
- Within its area of responsibility, the Customer shall exempt TSI from the rights of third parties brought against TSI. Rights of data subjects shall be asserted exclusively against the Customer pursuant to Sec. 62 (1) BDSG.
- Additional instructions from the Customer relating to the processing of personal data, which go beyond the contractually agreed Services and product parameters and which entail additional expense for TSI, shall be remunerated separately accordingly. TSI can terminate the contract in case of instructions the implementation of which is impossible for TSI or possible only at disproportionately high additional expense. Additional instructions require the written form.
Scope, kind and purpose of the gathering, processing or use of data
- The subject, duration, kind and purpose of the data processing taking place, as the case may be, are determined by the Customer through its product choice, the service specifications of which result from the GTC and, if any, the also applicable documents, and which are specified herein with regard to the requirements under data protection regulations.
Types of data
The subject of the gathering, processing and/or use of personal data can be the following data types/categories (enumeration/description of the data categories):
- Contract master data (contractual relationship, interest in products or contracts)
- Contract billing and payment data
- Access data
- Consumption data
- Movement and activity data
- Logins, workplaces, work periods
- Log data
- Log data capable of identifying persons or personal log data (user names, IP addresses, etc.)
- Contact data (e.g. phone number, email address)
Group of data subjects
The group of data subjects whose data are used within the scope of this contract can cover the following categories of persons:
- Contacts/business partners
- Employee data
Supplementing terms for using Route-AI
Route-AI is a functionality within the driver logbook products of TSI that uses self-learning algorithms and artificial intelligence (AI) methods by means of movement profiling to assist in and partially or fully automate the filling in and completion of driver logbooks with route reason, additional journey information, movement data and other metadata. The use of Route-AI is optional and requires explicit consent. By agreeing to the use of Route-AI for one or more vehicles, the following paragraphs b. bis g. shall additionally apply:
Scope, kind and purpose of the gathering, processing or use of data when using Route-AI
- The data processing operations carried out when using Route-AI may exceed the scope defined in section 3 as specified in the following provisions.
- For Route-AI enabled vehicles (devices), movement profiles will be created, provided that explicit consent has been given in accordance with section 4 paragraph e. Such movement profiles are created automatically using methods and technology based on artificial intelligence.
- The movement profiles contain, among other things, data that allow a categorisation of visited locations, times of stay and frequencies of visits as well as similar data that allow partial or complete classification of routes with, for example, the reason for the journey.
The movement profiles created may also incidentally contain data, or may enable the derivation of data, which, according to GDPR Art. 9, is personal information requiring special protection. This may include, but is not limited to, data revealing
The express aim of data processing using AI functionality is not to derive such information, but it cannot be ruled out that these categories of data may inadvertently be derived directly or indirectly. Data of this type, if it arises, will not be used or evaluated by TSI at any time and, insofar as it arises, will only be processed incidentally for the purposes defined under subsection (5).
- racial and ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- or trade union membership or affiliations.
Purpose of the data processing when using Route-AI
The purpose of data processing when using Route-AI and the creation of movement profiles is solely to supplement the driver's log for the associated vehicle (device), as well as to improve the associated algorithms and technologies. Further disclosure or dissemination, linking with other data or further, other automated processing, use or evaluation of the data in the context of the processing with AI functions do not take place. Other data processing that has already been otherwise stipulated in the context of the general terms and conditions and related documents shall not be affected by this.
Confidentiality of data and movement profiles when using Route-AI
The movement profiles are vehicle (device) specific and can only be viewed by persons who are also authorised to access the device data.
- Insofar as accesses for other persons are set up for the customer - these may be for example supervisors or administrators - the customer is responsible for informing these other authorised persons of the confidentiality of the personal data requiring special protection. The customer shall ensure that further accesses use restrictive access authorisations. The customer is responsible for monitoring compliance with data protection by these persons with further accesses.
- TSI treats created movement profiles as strictly confidential. All TSI employees and their associates who may come into contact with this data are obliged to maintain confidentiality. TSI also uses systemic, technical, and organisational security measures as outlined in section 6 to protect data from access by unauthorised persons.
Legal obligations of the customer
The use of Route-AI for other persons than the customer himself, or if other persons than the customer are or could be affected by it, is explicitly only permitted provided that the following provisions are fulfilled.
- The customer is responsible for the fulfilment of any information and disclosure obligations of all persons concerned (e.g. users of the vehicle) within the scope of the GDPR. This includes, but is not limited to, all provisions listed under section 4.
- By agreeing to the use of Route-AI by the customer for one or more vehicles (devices) vis-à-vis TSI, the customer confirms being aware of all legal obligations and, if applicable, having taken appropriate measures to comply with them.
The customer gives consent to TSI for the use of Route-AI. The consent is given by the customer in the system online in the form of explicitly activating Route-AI for each applicable vehicle (device). Insofar as this is done also on behalf of any other affected persons, the customer warrants that he is authorised to do so and, in particular, that he fulfils the following conditions:
- The customer has the obligation to obtain consent from all affected persons and to document this consent if necessary.
- The affected persons must be informed by the customer and made aware of their rights and obligations within the scope of data protection in accordance with the GDPR.
- Affected persons have rights of access, as well as other rights under the GDPR, which the customer ensures and fulfils.
- Consent by any affected person may be revoked at any time, also without giving reasons. If any affected person revokes their consent, the customer shall immediately revoke the agreement to the use of Route-AI vis-à-vis TSI. For further details, see paragraph g.
- TSI shall document this agreement and record the time of agreement and the person by whom the agreement is given to TSI. The customer attests to and is responsible for the accuracy of all information provided, if any.
Correction and right to correction
Automatically processed data can be corrected at any time by the customer or other authorised persons with access. The customer shall indemnify TSI in his area of responsibility against claims of affected persons against TSI and shall carry out necessary corrections promptly at the request of authorised, affected persons.
Revoking agreement to the use of Route-AI
If the customer revokes the agreement, all movement profiles for this vehicle (device) will be deleted promptly. No further new movement profiles will be created for this vehicle (device) through Route-AI functionality. Reasons for journeys and other meta-data or trip information for individual routes, which were previously created, identified, or otherwise classified by Route-AI and then manually confirmed by the customer, shall be retained. The data of the movement profiles which may have led to these automatically determined reasons for journeys and other meta-data or trip information for individual routes will also be deleted. All other automatically determined reasons for journeys and other meta-data or trip information for individual routes will be deleted.
Obligation for confidentiality of the persons authorised for the processing
- All persons, who might access the Client’s data listed under section 3 and section 4 in accordance with the contract, must be obligated for observation of the data secret according to Art. 28 GDPR and Sec. 62 (5) sent. 2 BDSG [German Federal Data Protection Act], and be instructed of the special data protection obligations resulting from this contract and the applicable limitation of instructions and purpose.
Ensuring the technical and organisational measures
- As the commissioned data processor, TSI assures an appropriate protection level in the processing of personal data as appropriate to the risk, meanwhile taking the relevant technical guidelines and recommendations of the Federal Office for Information Security into account in the process.
- TSI shall take appropriate measures based on the current state of technology to fulfil the requirements for the security of data processing as defined in Sec. 64 (3) BDSG. The Contractor shall inform the Client on request about risk assessments and the measures taken.
- The Parties agree that the technical and organisational measures are subject to technical progress and further development. To this end, the Contractor is permitted to implement adequate alternative measures. The Contractor must inform the Client thereof on request and ensure that it is not fallen below the security level of the defined measure.
Individual measures implemented as well as security considerations are
described and defined in TSI's "Risk Assessment to Ensure the Security
of Data Processing"
and are available on request at any time. In the interest of reducing
attack surfaces, this information is confidential and will not be made
publicly available by TSI.
Hiring of subcontractors
- The Client generally agrees to the Contractor subcontracting carefully selected external companies, in particular but not exclusively in the areas of hosting, maintenance and installation, telecommunications services, user service, development, cleaning staff, auditors, and disposal of data carriers.
- TSI shall observe the requirements of Sec. 62 BDSG when awarding subcontracts and arrange the contractual agreement with the subcontractor in such a way that it is consistent with the data protection requirement defined in this Agreement between the Contractor and the Client.
- In the Annex to the “Supplementing Terms for the Commissioned Data Processing”, which TSI publishes on its website (tsi-telematic.com/en/TermsConditions), TSI informs about the respectively engaged subcontractors, which are entrusted with the processing of personal data or parts thereof. Intended engagements or replacements of further subcontractors will be published in a timely manner in the same place. The careful selection of hired subcontractors for the performance of the commissioned data processing on behalf of the Customer is solely up to TSI. The Customer’s right to prohibit the involvement of subcontractors pursuant to Sec. 62 (3) BDSG remains unaffected thereof. If the Customer exercises its right to object, TSI reserves the right to terminate the commissioned data processing contract.
- TSI engages further subcontractors for the problem-free operation of TSI’s technical and organisational infrastructure, which neither process the Customer’s personal data nor have access to them.
Support for the data controller responsible for the processing in case of requests and claims brought by data subjects
- TSI, as the commissioned data processor, supports the Customer, as the data controller responsible for the processing, by suitable means so as to ensure that the provisions regarding the rights of data subjects are observed. Additional services and additional expense for TSI, going beyond the contractually agreed Services and Product parameters, shall be remunerated separately accordingly.
Support for the data controller responsible for the processing regarding the reporting duty
- If the Contractor discovers that the Client’s data stored at its site, which are relevant for the contract, have been transmitted illegally or have otherwise been made known illegally to third parties, it shall immediately inform the Client thereof regardless of causation.
- This also applies in case of serious interruptions in operations (e.g. longer outage of a server system), or in case of a suspected other violation of regulations on the protection of personal data or other irregularities in the handling of the Customer’s relevant data.
- TSI shall support the Customer in compliance with Sec. 64 to Sec. 67 and Sec. 69 BDSG using the information available to the TSI. Additional services and additional expense for TSI, going beyond the contractually agreed services and product parameters, shall meanwhile be remunerated separately accordingly.
- The Client shall inform the Contractor if it discovers errors or irregularities in the check of the results of the work order.
Return and deletion of the personal data after the end of the commissioned data processing
- After completion of the contractually agreed work or at an earlier point on the Client’s request – at the latest on termination of the service level agreement – the Contractor shall surrender to the Client all documents having come into its possession, any results of processing and use that have been created, and data stocks that are related to the contractual relationship and which might permit conclusion as to specific persons; or it shall destroy them upon prior agreement and in a manner compliant with data protection regulations.
- No data carriers will be exchanged between the parties to this commissioned data processing. Therefore, no provisions regarding a return have to be defined herein.
Audit rights of the data controller responsible for the data processing
- On request, TSI shall provide the Client with all required information, in particular the logs prepared according to Sec. 76 BDSG, to prove compliance with the obligations of the data controller responsible for the processing, to the appropriate extent and in an appropriate format. Additional Services and additional expense for TSI shall be remunerated separately accordingly.
- TSI shall facilitate audits that are carried out by the Customer or an auditor assigned by it.
Duty to provide information regarding the data protection officer
- In order to comply with Sec. 70 (2) BDSG, the Client shall inform TSI of the names and contact details of each data controller responsible for the data processing (if different from the Client) and, if applicable, of the data protection officer or officers, and it shall notify of any changes promptly and without request.
Obligation of the commissioned data processor to notify when an instruction violates data protection
- If TSI believes that an instruction from the Client violates the provisions of the GDPR or other data protection regulations of the EU or the Member States, TSI shall inform the data controller immediately.
- The invalidity of one of the provisions of this contract does not affect the validity of the remaining provisions. If a provision should prove to be invalid, TSI shall replace it by a new provision, which comes closest to what the Customer and TSI have intended.
Errors and omissions excepted. Only the latest German print version is legally binding.