General terms and conditions of cirplus GMBH
General Information and Contract Purpose
1.1. These General Terms and Conditions (hereinafter referred to as “GTC") apply to any use of the services offered by the cirplus GmbH (with its seat in Hamburg, registered with the Commercial Register of the local court of Hamburg under HRB 155339) (“cirplus") by customers who are entrepreneurs within the meaning of § 14 of the German Civil Code (BGB) (the “Customer”and together with cirplus the "Parties").
1.2 In particular, cirplus offers Customers the opportunity to bring together supply and demand with regard to the sale or purchase of recycled plastics, virgin, additives of plastics and/or non-hazardous plastic waste (within the meaning of the Waste Catalogue Ordinance, AVV) (the "Material(s)") (the “Contract Purpose"). All services by cirplus are provided at its own discretion via the website www.cirplus.com (the "Platform") and/or by other means (in particular via e-mail, telephone and/or postal services).
1.3 cirplus' offers are aimed in particular at Customers who wish to acquire (erwerben) Materials (the "Buyer(s)") or dispose of (veräußern) them (the "Supplier(s)"). The use of cirplus' services by other brokers of Materials (or comparable other products), agents of Materials (or comparable other products) and/or other entrepreneurs and or other direct competitors of cirplus is not permitted.
1.4 Deviations from these GTC are only deemed to be agreed if they have been expressly confirmed in writing by cirplus. Any existing General Terms and Conditions of the Customers are expressly not recognized by cirplus. In particular, the mere omission of an objection by cirplus to the Customer's General Terms and Conditions shall not cause them to be considered as agreed. This shall also apply if cirplus performs services unconditionally upon knowledge of opposing terms and conditions of the Customer or terms and conditions diverging from these GTC.
1.5 For important reasons, in particular in the event of changes to statutory provisions, the supreme court jurisdiction or the market conditions, cirplus may notify the Customer of an amendment to these GTC by identifying the vital amendments. The amended GTC shall be deemed to have been agreed to if the Customer has not objected to the amendment within one month upon receipt of the notification and cirplus has explicitly notified the Customer of this consequence while informing them about the amendments. Regardless of the foregoing regulations, amendments to the service content agreed on with the Customer require the express consent of the Customer.
Registration of company account; Conclusion of the Platform Agreement and Onboarding E-Mails
2.1 In order to be able to use certain services offered by cirplus through the Platform, the Customer must register for the use of the Platform. During the registration, the Customer has to provide all information marked as "mandatory field". All information provided by the Customer must be correct, complete and not misleading.
2.2 With the separate confirmation of these GTC by selecting the appropriate box and confirming the registration button, the Customer makes cirplus a binding offer to conclude a usage contract with cirplus based on these GTC and at the terms specified in the registration process (the “Platform Agreement”) Registration to the Platform without the inclusion of these GTC is not possible.
2.3 The Platform Agreement is effectively concluded as soon as cirplus has accepted the Customer's offer via e-mail. A mere confirmation e-mail sent by cirplus regarding the receipt of the Customer's offer does not constitute acceptance of his offer. cirplus is entitled to refuse to conclude a Platform Agreement with the Customer without giving reasons.
2.4 cirplus reserves the right to make the accessibility of the full scope of the Platform services, in particular to offer materials via the Platform or to contact Suppliers, dependent on the payment of a fee, subject to a separate agreement with the Customer, for example in the form of a subscription model.
2.5 The Customer is obliged to keep the password, which he received or chose during the registration process, strictly confidential and not to pass it on to third parties. He must renew the password regularly. If third parties gain access to the Customer's account with the help of the password due to the Customer's negligence, the Customer must accept responsibility for the actions of the third party and is liable for them. However, the Customer has the opportunity to prove that he sufficiently protected the password from access by third parties and that the actions on the Platform were carried out by a third party. If the Customer has reason to believe that a third party is in possession of his password, he must immediately change his password and inform cirplus.
2.6 As integral part of the Platform Agreement, cirplus may send onboarding e-mails with instructions and helpful information on how to use the Platform (e.g. on setting up the functional scope or functional extensions of the Platform, etc.) to every user.
Use of the Platform
3.1 The use of the Platform requires that the Customer has the technical means (computer, internet access, e-mail address) required for access via the internet. To ensure optimal use of the Platform, cirplus advises the use of the browser types Google Chrome, Mozilla Firefox or Safari in their respective current versions, as well as to allow cookies in the settings of the browser used.
3.2 The Customer may use the Platform exclusively for the Contract Purpose. The Customer undertakes to grant access to the Platform only to persons within its organisation and to ensure that appropriate security precautions are taken to prevent access to the Platform by unauthorized persons. Such security measures include in particular the use of a secure password.
3.3 In order to ensure the proper conduct of business, it is necessary that the Customer informs cirplus immediately of any changes to a name/his company, his legal form, his registered office, and his legal representatives.
3.4 The Customer may only post data, texts, images and other content on the Platform that he is entitled to use accordingly and that does not violate applicable law or the rights of third parties. cirplus is entitled to block content posted by the Customer if there is reasonable suspicion that such content is illegal, violates these GTC or infringes the rights of third parties.
Role of cirplus and Brokerage
4.1 Unless cirplus explicitly offers Materials via his company account as Supplier, cirplus is not party to sale contracts performed on the Platform. cirplus then only provides Buyers and Suppliers with the Platform that in particular enables Customers to submit requests and offers for Materials
4.2 If cirplus has demonstrated the opportunity to conclude a contract for the purchase or sale of a Material by means of or outside the Platform (Evidence Broker) and such a contract has been concluded between the Buyer and the Supplier (the “Third Party Contract"), cirplus will charge the Buyer a proportional commission for the brokerage activities (the "Transaction Fee"). The amount of the Transaction Fee to be paid will be indicated in the process for concluding the Third Party Contract. The amount is determined on a case-by-case basis and may depend in particular on the product, its quality and quantity.
4.3 The Buyer and the Supplier are independent of one another obliged to inform cirplus immediately of any circumstances affecting the performance of the brokerage. This applies in particular with regard to the abandonment or change of the intention to purchase.
4.4 If cirplus demonstrates the opportunity to conclude a contract that is already known to the Buyer or Supplier, the Buyer or Supplier is obliged to reject this proof in writing.
4.5 The Buyer and the Supplier are independent of one another obliged to notify cirplus immediately of the conclusion of a Third Party Contract and to provide a full copy of the contract at the first request.
4.6 The Third Party Contract is concluded solely between the Buyer and the Supplier. cirplus shall not have any obligations in connection with the Third Party Contract, in particular with regard to the negotiations, conclusion, and enforcement of the Third Party Contract. cirplus does not owe any mediation and no mediation success with regard to the conclusion of the Third Party Contract. Whether a Third Party Contract is concluded is solely at the discretion of the respective parties to the Third Party Contract.
4.7 cirplus is entitled to provide Customers with additional (paid) services on or outside the Platform, which, however, require a separate contract between cirplus and the respective Customer.
Obligations of the Customer
5.1 The Customer warrants that the information provided during registration, in particular such information relating to the entrepreneurial status and the company itself, is accurate and that the Platform is used exclusively by appropriately authorized persons.
5.2 The Customer may use the Platform both as a Supplier and as a Buyer. Insofar as the Customer uses the Platform as a Supplier, the Customer is subject in particular to the following obligations:
a) The Customer must inform cirplus immediately if a Third Party Contract is concluded outside the Platform.
b) The Customer must be authorized to offer the offered Materials.
c) The Customer must be able to transfer the legal ownership of the offered Materials free of encumbrances of any kind.
d) The information on the Materials offered, which the Customer communicates on the Platform, must be complete and correct and must not be misleading.
e) The Customer must ensure that he will pack the offered Materials safely and appropriately, in accordance with the applicable laws.
5.3 Insofar as the Customer uses the Platform as a Buyer, the Customer is subject in particular to the following obligations:
a)The Customer must inform cirplus immediately if a Third Party Contract is concluded outside the Platform.
b)The information provided by the Customer in the framework of the contract initiation must be complete and correct and must not be misleading.
Terms of Payment; Adjustment of Remuneration
Insofar as remuneration is payable to cirplus in connection with the use of the Platform, in relation to cirplus' brokerage activities or for other services provided by cirplus, the following shall apply:
6.1 All prices stated by cirplus are net prices plus statutory value-added tax.
6.2 Issued invoice amounts are payable without deduction within fourteen (14) days from receipt of invoice by the Customer.
6.3 If the Customer defaults on payment of remuneration claims, default interest shall be charged at a rate of nine (9) percentage points above the respective base interest rate.
6.4 cirplus is entitled to adjust any agreed remuneration for the use of the Platform annually by an appropriate amount for future payment periods in order to compensate for personnel and other cost increases by third parties in which cirplus is not responsibly involved. cirplus shall notify the Customer in writing of these price adjustments and the date on which the price adjustment takes effect no later than four (4) weeks before they take effect, giving reasons for the adjustment. If the price increase amounts to more than seven percent (7%) of the previous price, the Customer may object to this price increase within a period of two (2) weeks from receipt of the written notification. If the Customer objects to a change within the meaning of this § 6.4 in due form and time, the contractual relationship shall be continued under the previous conditions. In this case, cirplus reserves the right to extraordinarily terminate the contractual relationship with one month's notice to the end of the month.
Availability of the Platform
7.1 During the term of the Platform Agreement, cirplus shall provide the Customer with the Platform with an availability of 97% on an annual average during Operation Hours. This means the availability of the Services at the handover point where the system interfaces with the internet.
Operation hours are: Monday to Friday (except public holidays in Hamburg) between 9:00 a.m. to 6:00 p.m.
7.2 Availability means the ability to use all essential functions of the Platform. Times of insignificant disruptions shall not be considered as downtime. The measuring instruments of cirplus shall be decisive for the proof of availability.
7.3. Furthermore, periods of unavailability (1) due to scheduled maintenance work on the Platform, (2) due to technical or other problems for which cirplus is not responsible (force majeure, fault of third parties, errors in the Customer's IT systems, etc.) or which (3) due to a breach of the Customer's duty to cooperate, in particular due to delayed or incomplete transmission of an error message, shall not be considered as downtime.
Platform Operation and Changes
8.1 cirplus endeavors to ensure that the Platform is always state-of-the-art. cirplus is entitled to carry out and/or introduce regular updates, new versions or upgrades of the Platform (hereinafter uniformly referred to as “Updates") in particular in order to adapt the Platform to new technical or business requirements, to respond to user behaviour, to implement new functions, to make changes to existing functionalities of the Platform or to comply with legal requirements.
8.2 To adapt the Platform to new or changed legal, technical (incl. cybersecurity) or business requirements or in case of another valid reason, cirplus may also carry out Updates that substantially restrict the use of the Platform by the Customer for the Contract Purpose, including the termination of any relevant functionalities or services, (such an Update is hereinafter referred to as a “Material Change"). In case of Material Changes, cirplus shall inform the Customers who pay a fee to cirplus for the use of the Platform or for other services provided by cirplus (the “Paying Customer") of the introduction of the features and time of the Material Change in writing within a reasonable period of time before it takes effect (a “Notification of Change").
8.3 The Customer shall be entitled to terminate the Platform Agreement free of charge within 30 days of the receipt of the information or of the time when the Platform has been modified by cirplus, whichever is later, if the Material Change negatively impacts the Customer's access to or use of the Platform, unless such negative impact is only minor. cirplus will inform the Paying Customer of his rights under this § 8.3 with each Notification of Change, in particular (i) the right to terminate the Platform Agreement, (ii) the time period set for this purpose and (iii) the legal consequences of an objection to the Material Change not made in due time.
8.4 The Customer’s right to terminate the Platform Agreement according to § 8.2 shall not apply if cirplus has enabled the Customer to maintain without additional cost the the use of the Platform without the Material Change, and the Platform remains in conformity.
Use in Breach of the Contract by the Customer, Compensation from cirplus
9.1 The Customer may only use the Platform for the purposes provided for in this contract. The Customer is also not entitled to (i) allow the Platform or data of cirplus to be used by third parties, (ii) make them accessible to third parties or (iii) use them in any other way outside the Contract Purpose.
9.2 For each case in which an unjustified use is made of a contractual service in the Customer's area of responsibility, the Customer must pay damages in the amount of the remuneration that would have been incurred for the contractual use within the framework of the minimum contractual period applicable to this service.
9.3 § 9.2 also includes the case that cirplus' chance of earning the Transaction Fee is thwarted as a result of the culpable conduct of the debtor of the Transaction Fee (e.g. if the Buyer and the Supplier come together via the Platform with regard to a Material, but then conclude the Third Party Contract outside the Platform and do not inform cirplus of this). In this case, cirplus remains entitled to claim the Transaction Fee.
9.4 In each case the Customer shall be reserved the right to prove that the Customer is not responsible for the unauthorized use or that no damage or considerably lower damage has occurred.
9.5 In each case cirplus remains entitled to claim further damages.
10.1 The Parties undertake to keep all confidential information which they became aware of in the course of the contractual relationship secret for an indefinite period of time and not to pass it on and not to use it in any other way - unless this is necessary to achieve the Contract Purpose. Confidential information is all information and documents of the Parties which are marked as confidential or which are to be regarded as confidential due to the circumstances, in particular information about operational processes, business relations, other trade, and business secrets, know-how, cirplus's business model and all work results of cirplus.
10.2 Exempt from this obligation is such information,
a) which was demonstrably already known to the respective other Party at the time of the initiation of the contract or subsequently become known to them from a third party, without thereby infringing a confidentiality agreement, statutory provisions or administrative orders;
b) which was publicly known, provided that this was not due to a breach of the contract;
c) which must be disclosed due to legal obligations or by order of a court or an authority. To the extent permitted and possible, the Party required to disclose information shall give prior notice to the other Party in this case and give them an opportunity to take action against such disclosure.
10.3 Any disclosure of confidential information to third parties, with the exception of disclosure to third-party service providers, requires the express written consent of the other Party.
10.4 The Parties shall ensure by appropriate contractual agreements that the employees and contractors working for them shall also refrain for an unlimited period of time from any own use or disclosure of confidential information. The Parties shall disclose confidential information to employees and contractors only to the extent that they need to know the information to execute this contract.
10.5 The Customer undertakes not to grant third parties access to the Platform.
11.1 The liability of cirplus, its legal representatives and vicarious agents for damages caused by slight negligence is excluded.
11.2 The liability restriction under § 11.1 does not apply in case of claims for damages arising from
a) the loss of life, injury of the body, injury of the health;
b) a compulsory statutory liability (e.g. Product Liability Act – Produkhaftungsgesetz);
c) a guarantee is given; and/or
d) the breach of material contractual obligations (so-called cardinal obligations). Material contractual obligations are those whose fulfillment makes the proper execution of a contract possible in the first place and on whose compliance the contracting parties may regularly rely.
In the event of a breach of material contractual obligations due to slight negligence, cirplus, its legal representatives and vicarious agents shall only be liable for the foreseeable damage typically occurring under this type of contract, unless such claims for damages are arising from the loss of life, injury of the body or injury of the health.
11.3 Any possible contributory negligence on the part of the Customer shall be credited. In particular, cirplus shall be liable for the recovery of data only insofar as the Customer has taken all necessary and appropriate data backup measures and has ensured that the data can be reconstructed with reasonable effort from data material provided in machine-readable form.
11.4 The Customer is obliged to immediately notify cirplus in writing of any possible damage within the meaning of the above liability regulations or to have cirplus record any such damage so that cirplus is informed as early as possible and can possibly reduce the damage together with the Customer.
11.5 The strict liability according to § 536 a para. 1 BGB for errors of the Platform already existing at the time of the conclusion of the contract is excluded unless the error concerns a characteristic of the Platform that is essential for the Contract Purpose.
Statute of Limitations
12.1 Claims of the Customer-based on the breach of any duty not consisting of a defect shall become time-barred, except in the event of intention or gross negligence, within one year from the origination of the claim. This shall not apply if the damage in question incurred by the Customer consists of personal injury (injury of life, body or health). Claims due to personal injury shall become time-barred within the statutory limitation periods.
12.2 Any rescission of contract or reduction of payments shall be invalid if the claim to performance or the subsequent performance of the Customer has become time-barred.
No Non-Compete Obligation and no Exclusivity Obligation on the Part of cirplus
cirplus is not subject to any non-compete obligation or exclusivity obligation and is entitled to provide services for other Customers nationally and internationally.
Set-Off, Retention, Reduction
14.1 The Customer shall only have a right to set-off, reduction and/or a right of retention against cirplus if his respective counterclaims have been legally established, undisputed or acknowledged by cirplus.
14.2 Furthermore, the Customer may only exercise a right of retention if the counterclaim is based on the same contractual relationship.
14.3 The Customer's right to reclaim remuneration not actually owed shall remain unaffected by the limitation of § 14.1.
cirplus is always entitled to commission third parties to assist cirplus in the providing of services (the “Third Party Service Providers"). If cirplus uses Third Party Service Providers to support them, these have, exclusively, a contractual relationship with cirplus.
16.1 The Customer shall indemnify cirplus from all claims made by other Customers or other third parties against cirplus due to the infringement of their rights in connection with the use of cirplus services by the Customer. The Customer shall assume the costs of the necessary legal defense of cirplus, including all court and legal fees in the statutory amount. This does not apply if the Customer is not responsible for the infringement of rights.
16.2 In the event of a claim by other Customers or third parties, the Customer is obliged to provide cirplus immediately, truthfully and completely with all information required for the examination of the claims and a defense.
Intellectual Property, Rights of Use
17.3 The Platform is protected by copyright. The sole owner of all intellectual and industrial property rights is cirplus (or its licensor).
17.4 cirplus does not grant any rights of use to Customers unless these are required for the use of cirplus services within the scope of the agreed Contract Purpose. Rights granted in this respect are (i) non-exclusive, (ii) non-transferable, (iii) non-sublicensable and (iv) limited in time to the duration of the Platform Contract between cirplus and the Customer. The Customer shall in particular not be entitled to disassemble, reverse engineer, or reverse compile the Platform in whole or in part except to the extent permitted by applicable law; (iv) modify, adapt, alter, or create derivative works from the Platform; (v) merge the Platform with other software, except to the extent permitted by applicable law; (vi) remove any proprietary notices from the Platform; (v) copy, distribute or publicly reproduce any of the Platform contents.17.5 Insofar as the Customer provides cirplus with protected content (e.g. graphics, trademarks or other content protected by copyright or trademark law), he grants cirplus all rights necessary for the execution of the contractual agreement. This includes, in particular, the right to make the relevant content available to the public. In this context, the Customer affirms that he holds all necessary rights to the materials provided in order to grant cirplus the corresponding rights.
Data Protection, Data Use, Advertising Consent
18.1 The Customer’s use of the services offered by cirplus may require the processing of personal data. To the extent that cirplus processes personal data as a processor on behalf of the Customer, such processing shall be governed by the provisions of Schedule 1 (Data Protection Addendum). Further details about the relevant processing activities for which cirplus acts as a processor are provided in the Annex of Schedule 1. In the event of any conflict or inconsistency between Schedule 1 and any other terms in these GTC, the provisions of Schedule 1 shall prevail.
18.2 In relation to certain processing activities (in particular in connection with fraud prevention, compliance checks, financial management, legal compliance, operation of the cirplus business, and marketing) cirplus may process relevant personal data as a controller. Information about cirplus’ processing of personal data as a controller is available at https://www.cirplus.com/privacy-notice.
18.3 The Customer and cirplus shall each comply with applicable data protection laws in relation to the processing of personal data in connection with these GTC and related processing activities. Customer shall not, by any act or omission, place cirplus in breach of applicable data protection laws.
18.4 cirplus is entitled to use data fed into the Platform by the Customer for the purposes of the Customer's contractual relationship with regard to the Third Party Contract in anonymized or aggregated form. cirplus will do this in particular to improve existing Platform functions or to provide new Platform functions.
19.1 Unless otherwise agreed in the Platform Agreement, the term of the Platform Agreement shall be one (1) year and shall be extended by one (1) year in each case unless the contract is terminated with two weeks' notice to the end of the respective term.
19.2 The right to extraordinary termination remains unaffected by this. cirplus is entitled to extraordinary termination, in particular, if
a) the Customer uses the services of cirplus in order to pursue illegal objectives;
b) the Customer makes use of cirplus' services primarily in order to obtain information about the market and/or competitors;
c) the Customer is in arrears with a due payment by more than two (2) months, even after a reasonable deadline set by cirplus for a remedy has expired;
d) the Customer seriously violates his contractual obligations and cirplus can therefore no longer be reasonably expected to adhere to the contract;
e) insolvency proceedings are applied for, opened or rejected for all or part of the Customer's assets;
f) the Customer has a reason for insolvency in the sense of §§ 17 - 19 InsO; or
g) the Customer's financial circumstances deteriorate to such an extent that proper fulfillment of the contract can no longer be expected, even if there is no reason for insolvency within the meaning of §§ 17 - 19 InsO.
19.3 Each termination requires at least text form via e-mail.
19.4 cirplus points out to the Customer that he is responsible for backing up his data in good time before the contract is terminated. For technical reasons, cirplus is generally unable to guarantee that the Customer will be able to access his or her data once the contract has ended. During the term of the contract with the Customer, cirplus will not delete any data fed into the Platform by the Customer, unless cirplus is legally obliged to do so (e.g. due to legal infringements caused by the data fed in by the Customer).
20.1 The Customer consents for cirplus to disclose the collaboration between cirplus and the Customer for marketing purposes and in this connection also use the company logo and brand of the Customer.
20.2 The customer furthermore agrees to act as a testimonial for cirplus. As such, the Customer will provide a publishable statement in which the Customer will describe the use of the Platform by the Customer and the associated benefits and successes in a clear and meaningful way
20.3 The Customer may revoke the consents provided under this § 20 at any time with future effect by declaration in text form (e.g. via e-mail to firstname.lastname@example.org]).
21.1 Amendments, additions or rescission of these GTC are required to be made in text form to be effective unless a stricter form is required by law. This also applies to the amendment or rescission of this text form clause.
21.2 None of the provisions of these GTC constitutes rights in favor of third parties who are not Party to these GTC.
21.3 If these GTC refer to a written form or notification, the sending of an e-mail shall also respectively suffice. E-mails to cirplus should always be sent to the following e-mail address: email@example.com
21.4 Should individual provisions of these GTC be or become invalid or unenforceable in whole or in part or should the GTC not contain a necessary provision, this shall not affect the validity of the remaining provisions of the GTC. In place of the invalid or unenforceable provision or to fill the loophole, the legally admissible provision shall be deemed to have been agreed retroactively which corresponds as closely as possible to what the Parties would have wished or to what would have been agreed in spirit and purpose of the GTC by the Parties if they had considered the invalidity or unenforceability of the provision in question or the loophole. This also applies if the invalidity or unenforceability is based on a measure of performance or time prescribed in the GTC. In this case, a legally permissible measure of performance or time that comes as close as possible to what was intended shall take the place of that prescribed in the GTC.
21.5 The GTC are subject to the law of the Federal Republic of Germany to the exclusion of the German Conflict of Laws principles and the UN Convention on Contracts for the International Sale of Goods.
21.6 For all disputes arising from or in connection with the contract, including the validity of the GTC, the District Court of Hamburg shall have exclusive jurisdiction to the extent permitted by law.
Data Protection Addendum
Purpose and Scope
1.1 The Parties agree that this Data Protection Addendum (“DPA”) shall set forth their obligations with respect to the processing of personal data by cirplus as processor (“Processor”) of the Customer (“Controller”) in connection with the provision of the relevant services.
1.2 This DPA applies to the processing of personal data as specified in the Annex. For the avoidance of doubt, this DPA does not apply to the processing of personal data by cirplus as controller.
1.3 The purpose of this DPA is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
1.4 This DPA is without prejudice to obligations to which the Controller is subject by virtue of the GDPR.
2.1 Terms used but not defined in this DPA shall have the definitions provided in the GTC and where this DPA uses the terms defined in the GDPR, those terms shall have the same meaning as in the GDPR.
2.2 This DPA shall be read and interpreted in the light of the GDPR.
2.3 This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.
In the event of a contradiction between this DPA and the provisions of the main body of the GTC or any related agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, this DPA shall prevail.
Description of Processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Controller, are specified in the Annex of this DPA.
5.1 The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by the law of the European Union or Member State law to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. This DPA, the and related agreements between the Parties are the Controller’s final instructions at the time of execution of the and this DPA for the processing of personal data. Any subsequent instruction must be agreed to according to the process for amending the GTC.
5.2 The Processor shall immediately inform the controller if, in the Processor’s opinion, instructions given by the Controller infringe the GDPR or the applicable law of the European Union or Member State data protection provisions.
The Processor shall process the personal data only for the specific purpose(s) of the Processing, as set out in the Annex, unless it receives further instructions from the Controller.
Duration of the Processing of Personal Data
Processing by the Processor shall only take place for the duration specified in the Annex of this DPA.
Security of Processing
8.1 The Processor shall implement appropriate technical and organisational measures as required under Art. 32 of the GDPR. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
8.2 The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The Processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the Processor shall apply specific restrictions and/or additional safeguards.
Documentation and Compliance
10.1 The Parties shall be able to demonstrate compliance with this DPA.
10.2 The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with this DPA.
10.3 Upon the Controller’s written and reasonable request, the Processor shall contribute to audits or inspections by making audit reports available to the Controller, which reports are the Processor’s confidential information. If in the Controller’s reasonable opinion, the provided information is not sufficient for the Controller to comply with its obligations under the GDPR, the Controller may request additional information. Furthermore, if required by a regulator, court or applicable law, the Controller may mandate an independent auditor to perform an audit of the personal data processed for the purpose of this DPA.
10.4 The Parties shall make the information referred to in this clause 10, including the results of any audits, available to the competent supervisory authority/ies on request.
Use of Sub-Processors
11.1 The Processor has the Controller’s general authorisation for the engagement of sub-processors from the list provided at www.cirplus.com/data/list-of-subprocessor, which URL may be updated or replaced from time to time (“List of Sub-Processors”) . The Processor will notify the Controller of any intended changes of that list through the addition or replacement of sub-processors at least 14 calendar days in advance, thereby giving the controller sufficient time to be able to reasonably object to such changes prior to the engagement of the concerned sub-processor(s). The Controller may reasonably object to a change on legitimate grounds within 7 calendar days after it receives notice of the change. The Controller acknowledges that Processor’s sub-processors are essential to provide the relevant services and that if it objects to the Processor’s use of a sub-processor, then notwithstanding anything to the contrary in the or any related agreement, the Processor will not be obligated to provide the Controller the services for which the Processor uses that sub-processor.
11.2 Where the Processor engages a sub-processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the sub-processor, data protection obligations that are comparable to those imposed on the Processor under this DPA.
11.3 If a sub-processor fails to fulfill its data protection obligations under that contract, the Processor will remain liable to the Controller for the acts and omissions of its sub-processor to the same extent the Processor would be liable if performing the relevant processing of personal data directly under this DPA.
12.1 Any transfer of data to a third country or an international organisation by the Processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under law of the European Union or Member State law to which the Processor is subject and shall take place in compliance with Chapter V of the GDPR. For the avoidance of doubt, the authorisation of the engagement of the sub-processors listed in List of Sub-Processor shall also be considered an instruction of the Controller to transfer the relevant personal data to such sub-processors.
12.2 The Controller agrees that where the Processor engages a sub-processor in accordance with clause 11 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.
Assistance to the Controller
13.1 To the extent required by applicable data protection laws, the Processor shall promptly notify the Controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the Controller.
13.2 The Processor shall, at the Controller’s expense, provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.
13.3 In addition to the Processor’s obligation to assist the Controller pursuant to clause 13.2 and at the Controller’s expense, the Processor shall furthermore provide reasonable assistance to the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
a) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
b) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
c) the obligation to ensure that personal data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
d) the obligations in Art. 32 GDPR.
Notification of Personal Data Breach
14.1 In the event of a personal data breach, at the Controller’s expense, the Processor shall cooperate with and provide reasonable assistance to the Controller for the Controller to comply with its obligations under Art. 33 and Art. 34 GDPR, where applicable, taking into account the nature of processing and the information available to the processor.
14.2 In the event of a personal data breach concerning data processed by the Controller, at the Controller’s expense, the Processor shall provide reasonable assistance to the Controller:
a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
b) in obtaining the information required pursuant to Art. 33(3) GDPR;
c) in complying, pursuant to Art. 34 GDPR, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
14.3 In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor having become aware of the breach. Such notification shall contain, at least:
a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
b) the details of a contact point where more information concerning the personal data breach can be obtained;
c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
15.1 The term of this DPA begins on the effective date of the Platform Agreement and terminates on the date on which the Platform Agreement is terminated or expires.
15.2. At the Controller’s choice, the Processor shall delete or return all personal data to the Controller after the end of the provision of services under the Platform Agreement, and delete existing copies, unless the Processor is required or authorized by applicable law to store personal data for a longer period.