Data Protection Agreement MEETYOO Pro & Show
General Agreement on Order Processing
in accordance with Art. 28 (3) of the General Data Protection Regulation (GDPR)
§1 Completion of the contract
In accordance with the following conditions, an order processing contract is concluded between meetyoo (meetyoo conferencing GmbH, Friedrichstrasse 200, 10117 Berlin, Berlin, Germany) and any company that uses the contractor's services (hereinafter referred to as the "client").
§2 Scope of application and responsibility
meetyoo shall process personal data on behalf of, and in accordance with the instructions given by, the Contracting Authority. This shall include activities specified in the Contract and in the service description. Within the context of this Contract, the Contracting Authority shall bear sole responsibility for the observance of the statutory provisions of the data protection laws, in particular for the legality of the data transfer to the contractor as well as being solely responsible for the legality of the processing of the data ("Responsible Body" within the sense of Art. 4 No. 7 GDPR).
(1) To the extent that the terms "data processing" or "processing" of data are used in this Agreement, this shall be understood as the general usage of personal data. Reference is made to the further definitions in Art. 4 No. 2 GDPR.
(2) The instructions are initially determined by the Contract and the Contracting Authority may then amend, supplement or replace such with individual instructions (single instruction) in written form or in an electronic format (text form) to the body designated by the contractor. Instructions that have not been provided for in the Contract, shall be treated as a request for a change in performance. Verbal instructions shall be immediately confirmed either in writing or in text form.
§3 Subject matter, duration, and specification of the order processing
(1) The subject of the contract is the provision of internet and telephone-based presentation and conference media within the framework of the scope agreed with meetyoo, in accordance with the underlying contract.
(2) The term of this Agreement shall be determined in accordance with the provisions of the underlying contract.
(3) The following provisions shall apply to all order data processing services within the sense of Art. 28. (3) General Data Protection Regulation (GDPR), which meetyoo provides vis-à-vis the Contracting Authority. The Agreement shall therefore also apply for further orders until further notice.
(4) In particular, the following data shall form a component part of the data processing:
a) Types of data/data categories:
-Usage data from telemedia services or telecommunications services
-Image (speakers’ photos)
Circle of persons affected by the data processing
The circle of persons affected by the handling of the personal data within the context of the underlying contract shall be dependent upon for which group of people the Contracting Authority engages services of meetyoo.
c) Nature and purpose of the data processing:
-Access data management
-Reports for the client
-Use of the telemedia/telecommunications service
-International fixed-line and mobile dial-up
-Dial-out option, calling of conference participants upon request
-Conference recording (Voice Recording)
-Voice communication (telephone conference)
-OnDemand webcast (online video recording)
§4 Rights and obligations of the Contracting Authority
(1) The Contracting Authority shall bear sole responsibility for the assessment of the admissibility of the data collection, processing and usage and for the safeguarding of the rights of the persons affected and is thus a Responsible Body in accordance with Art. 4 No. 7 GDPR.
(2) The Contracting Authority shall be entitled to issue instructions concerning the nature, scope and methods of data processing. Instructions may only be made in text form. Any remuneration for additional expenses incurred by meetyoo as a result of the supplementary instructions of the Contracting Authority shall be negotiated separately.
(3)The Contracting Authority shall inform meetyoo immediately if errors or irregularities are determined in connection with the processing of personal data by meetyoo.
(4) The Contracting Authority shall be responsible for the legality of the collection, processing and use of the data of the Contracting Authority and for the safeguarding of the rights of the persons affected. Should a third party assert claims against meetyoo due to the collection, processing or use of Contracting Authority data, the Contracting Authority shall exempt meetyoo from all such claims upon first demand.
(5) Prior to the commencement of data processing and then, in consultation with meetyoo on a regular basis, the Contracting Authority shall be entitled to assure itself of the observance of the technical and organizational measures for data security being taken by meetyoo. The Contracting Authority may also have these checks carried out by a third party. Where necessary, the costs incurred as a result of carrying out an inspection shall be borne by the Contracting Authority.
(6) In the event of an information obligation in accordance with Art. 33, 34 GDPR, §15a TMG (German Telemedia Act) or § 109a TKG (German Telecommunications Act), the Contracting Authority shall be responsible for compliance with such.
§5 Obligations of meetyoo
(1) Data processing
a) Meetyoo shall be obliged to process personal data exclusively within the framework of the agreements made and in accordance with the instructions of the Contracting Authority. Any processing of data in deviation from this shall be prohibited. meetyoo shall be obliged to not process the data transferred for data processing for any other purpose; especially not for its own purposes.
b) Copies or duplicates may not be created unless this is the subject matter of the contract, necessary to ensure compliance with statutory retention obligations or if the Contracting Authority has given its express written consent.
(2) Rectification, deletion, and blocking of data
a) On the instructions of the Contracting Authority, meetyoo shall rectify, delete or block the personal data that is collected, processed or used in the order. The same shall apply if this Agreement provides for rectification, deletion or blocking of data.
b) Should an affected person turn directly to meetyoo for the purpose of rectification, deletion or blocking of his/her data, meetyoo shall be obliged to forward this request to the Contracting Authority immediately upon receipt.
(3) Duties of control
a) By means of appropriate controls, meetyoo undertakes to ensure that the personal data collected, processed or used in the order is processed exclusively in accordance with the provisions of this Agreement and/or the underlying contract and/or the relevant instructions.
b) meetyoo confirms that, in accordance with Art. 37 GDPR, it has commissioned an external data protection officer and that it monitors compliance with the rules on data protection and data security with the involvement of the data protection officer. Data protection officer:
Kent Schwirz, PROTEKTO DATA FUSE GmbH, Wendenstraße 279, 20537 Hamburg, Germany
Phone: +49 40 – 42236924, datenschutz [at] protekto.group
(4) Information requirements
a) If, in its opinion, an instruction issued by the Contracting Authority violates legal regulations, meetyoo shall make the Contracting Authority aware of this immediately. meetyoo shall be entitled to halt the implementation of the corresponding instruction until the responsible person at the Contracting Authority has confirmed the correctness of such or has modified it.
b) meetyoo shall be obliged to immediately inform the Contracting Authority of every breach of General Data Protection Regulations, of the contractual agreements and/or the instructions issued by the Contracting Authority, which have arisen in the course of the processing of data by it or by other persons commissioned therewith.
(5) Location of data processing
The collection, processing and use of the data of the Contracting Authority shall generally be carried out within the territory of the Federal Republic of Germany, in another Member State of the European Union or in another state which is party to the Agreement on the European Economic Area (EEA). Regardless of the fact that the collection, processing or use of Contracting Authority data outside of the EEA may possibly not be subject to the privileged status of Art. 8 GDPR, meetyoo shall be entitled to process the Contracting Authority data in compliance with the provisions of this Contract even outside of the EEA if the Contracting Authority is informed in advance with regard to the location of the data processing and has checked compliance with the technical and organizational measures taken in an appropriate form and the guarantees in accordance with Art. 44 ff. DSGVO.
(6) Deletion of personal data after completion of an order
Following the termination of the Contract, meetyoo shall be obliged to delete all personal data, documents and processing and usage results that have been created, which are in connection with the contractual relationship and which have come into its possession in a data protection and data security compliant manner and in accordance with the instructions of the Contracting Authority or to hand such over to the Contracting Authority. Excluded from this is personal data for which meetyoo has an obligation to store in accordance with Union law or the law of the member states.
§6 Data protection control
(1) meetyoo shall provide the Contracting Authority with evidence of the observance of the obligations laid down in this Contract by means of certified information security management in accordance with ISO 27001. The current certificate can be viewed in the following link: https://www.certipedia.com/quality_marks/9105037096?locale=en  &nb…;
(2) To the extent necessary, meetyoo shall grant the Contracting Authority the right to personally assure itself during normal working hours of compliance with the General Data Protection Regulations and the contractual agreements. In doing so, the Contracting Authority shall take meetyoo’s operational processes into account and announce such checks at least 10 days in advance.
(3) meetyoo shall support the Contracting Authority in the implementation of checks and collaborate in the full and speedy implementation of the same. Where necessary, the costs incurred as a result of carrying out an inspection shall be borne by the Contracting Authority.
(4) Upon written request and within a reasonable period of time, meetyoo shall be obliged to furnish the Contracting Authority with information to the extent necessary for the implementation of the check.
(5) meetyoo shall have to tolerate any control measures put in place by the Data Protection Supervisory Authority and shall notify the Contracting Authority insofar as personal data of the Contracting Authority is affected by a control measure immediately after gaining knowledge of the implementation of the said control measure.
§7 Subcontractual relationships
(1) The commissioning of subcontractors for the purpose of fulfilling an order shall only be permitted with the written consent of the Contracting Authority. meetyoo shall ensure that the subcontractors are selected with special consideration given to the suitability of the technical and organizational measures deployed by them.
(2) The contractually agreed services or the partial services described below shall be carried out with the involvement of the following subcontractors:
a) Web Service:
Name/Company: Amazon Web Services EMEA SARL
Function/activity: Provision of server capacities in Frankfurt
Headquarters [City, Country]: Luxembourg, Luxembourg
Certification: Privacy Shield, ISO 9001, ISO 27001, ISO 27017, ISO 27018
b) Telephone conference service:
Name/Company: Plusnet GmbH
Function/activity: Dial-in numbers provision (carrier)
Headquarters [City, Country]: Berlin, Germany
c) Event Service (as per commissioning):
Name/Company: MVC Mobile Video Communication GmbH
Function/activity: Video Conferencing System (Video)
Headquarters [City, Country]: Kronberg, Germany
Function/activity: Transcription of audio recordings (AudioEvent)
Headquarters [City, Country]: Frankfurt/Main, Germany
Name/Company: Retarus GmbH
Function/activity: Anti-spam, filtering e-mails
Headquarters [City, Country]: Berlin, Germany
Name/Company: SurveyMonkey Europe UC
Function/activity: Customer surveys
Headquarters [City, Country]: Dublin, Ireland
Name/Company: mailingwork GmbH
Function/activity: Newsletter dispatch
Headquarters [City, Country]: Oederan, Deutschland
e) Data destruction:
Name/Company: documentus GmbH Berlin & Co. Betriebs KG
Function/activity: File destruction
Headquarters [City, Country]: Berlin, Germany
Certification: ISO 9001:2015, DIN66399
(3) Contracting Authority before taking recourse to replace the subcontractors. The Contracting Authority may, within a period of 10 days, object to the change vis-a-vis meetyoo where good grounds exist. Should no objection be raised within the period, consent shall be deemed to have been given to the change.
(4) No consent shall be required for the involvement of subcontractors, where the subcontractor will only provide an ancillary service to assist in the performance as per the main contract, even if access to the Contracting Authority data cannot be excluded as a result (transport services provided by postal or courier services and cash transportation services, etc.) meetyoo shall conclude industry-standard confidentiality agreements with such subcontractors.
(5) The agreement to subcontract data processing must provide evidence of an adequate level of protection, which is comparable to that of this Contract. meetyoo shall regularly check compliance with the obligations of the subcontractor. In advance and during the term of the contract, meetyoo shall particularly ensure that the subcontractor has taken the necessary technical and organizational measures, as per Art. 32 (1) GDPR, to protect personal data.
(6) The transfer of data to the subcontractor shall then be permitted if the subcontractor has fulfilled the obligation as per Art. 28 GDPR.
(7) The obligation of the subcontractor must be made in writing. Upon request, this obligation shall be communicated to the Contracting Authority.
(8) The Contracting Authority hereby authorizes meetyoo, in the representation of the Contracting Authority, to conclude a contract with a subcontractor, which shall process or use Contracting Authority data outside of the EEA, whereby the EU standard contractual clauses for the transfer of personal data to order processors in third countries shall be included. The Contracting Authority declares itself to be prepared to co-operate in the fulfillment of the conditions of Art. 49 GDPR to the necessary extent.
§8 Data secrecy and confidentiality
(1) When processing data for the Contracting Authority, meetyoo shall be obliged to maintain data secrecy within the sense of the Art. 5 and Art. 29 GDPR or to maintain confidentiality concerning data.
(2) meetyoo undertakes only to use employees in the implementation of the order who have been obliged to data secrecy or confidentiality in the sense of Art. 5 and Art. 29 GDPR and have been made familiar with the requirements of data protection in an appropriate manner. The data secrecy obligation shall continue to apply following the end of the order.
§9 Technical and organizational measures
(1) Meetyoo is certified in accordance with ISO 27001. The current certificate can be found in the following link: https://www.certipedia.com/quality_marks/9105037096?locale=en
(2) The technical and organizational measures described in Appendix 1 shall be deemed to be binding and meet the requirements in accordance with Art. 32 GDPR. The technical and organizational measures may be adapted in the course of the contractual relationship. Major changes must be agreed upon in writing.
(3) Within the information security management, meetyoo shall ensure compliance with its obligations as per Art. 32(1) lit. d) GDPR and to implement a procedure for regular review of the effectiveness of the technical and organizational measures to ensure the security of processing.
(4) meetyoo shall inform the Contracting Authority immediately of faults, breaches of statutory data protection provisions or the stipulations determined in this Agreement by meetyoo or persons employed by it, and of any suspected data protection violations or irregularities in the processing of personal data. meetyoo shall ensure that it supports the Contracting Authority in its obligations as per Art. 32 to 36 GDPR.
§10 Contact person
(1) In the event of any data protection issues within the context of the Contract, the following contact is at your disposal:
Rico Hengstmann, Compliance
meetyoo conferencing GmbH, Friedrichstr. 200, 10117 Berlin, Telephone +4930 – 868 710 400, datenschutz [at] meetyoo.de
(1) In the event of contradictions between the provisions of this Agreement and the provisions of the Contract, the provisions of this Agreement shall take precedence.
(2) Changes and additions to this Agreement must be made in writing and shall require the express indication that the present provisions are being amended and/or supplemented thereby. This shall also apply to any waiver of the written form requirement.
(3) Should any provision of this Agreement be or become invalid or unenforceable, the remaining provisions of this Agreement shall remain unaffected by this. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest to the purpose of the provision to be replaced.
(4) With respect to meetyoo’s limitation of liability, the election of the board, and the court of jurisdiction, reference shall be made to the underlying contract of services with meetyoo.