(1) The following provisions apply in their respective version to all contracts concluded between the Provider and a Customer¹ for the services agreed upon with the Customer. Deviating, contradictory or supplementary terms and conditions of a Customer shall only become a part of the contract if agreed in writing.
(2) The following terms and conditions shall also apply to future contractual relationships between the Provider and a Customer, even if this has not been specifically stated again. This also applies if a service is performed while being aware of conflicting terms and conditions of a Customer.
(3) Contracts are concluded upon application by the Customer and acceptance by the Provider, which shall also be constituted by the performance of the services requested.
¹Customers in the sense of this regulation expressly concerns all genders.
(1) The scope of the individual services is based on the current service description in force at the time of placing the order. Deviating provisions in the service description take precedence over these conditions.
(2) When ordering, the Customer has the option to choose between the server locations USA or EU or to leave the decision to the Provider. Unless the server location EU is chosen, the additional provisions in Annex 3 apply.
(3) If no other agreement has been expressly reached, the Provider shall also be entitled to instruct expert staff or third parties to provide the services incumbent upon him. If active co-operation is required on the Customer's part on another server, e.g. during the transfer of a web space package or other data stored on the Provider's server, the Customer shall provide such co-operation in accordance with the Provider's instructions and within the stipulated time.
(4) The Provider can adapt its services to technical progress or to changes in the legal framework at any time. This includes the relocation of the services to another data center within the server location chosen by the Customer, or between the server locations if the Provider has been given the choice.
(5) If the services to be performed by the Provider also include the provision of specific server, the Customer is only entitled to a device with the performance features from the category ordered. The hardware as well as features that do not influence the performance features are determined by the Provider at his own discretion. If fixed IP addresses are provided to the Customer in this context, the Provider reserves the right to change the IP address(es) assigned to the Customer if this should become necessary for technical or legal reasons. The Provider will inform the Customer of any changes, including changes to IP addresses in accordance with this subsection 5.
(1) The Customer informs the Provider at least of the following data upon conclusion of the contract:
- Name and postal address, email address and telephone number of the Customer, consumer or entrepreneur status,
- Name, postal address, email address, telephone number and fax number of the technical contact for the domain,
- Name, postal address, email address and telephone and fax number of the administrative contact for the domain,
- and, if the Customer provides his own name server: additionally, the IP addresses of the primary and secondary name server, including the names of these server.
(2) The Customer ensures that the data provided by him to the Provider is correct and complete. This applies in particular to the indication whether the Customer is a consumer or a business customer. The Provider expressly points out that this information is subject to legal consequences and that cases of incorrectness may result in claims for damages.
(3) The Customer undertakes to inform the Provider immediately about changes of the provided data and to confirm the current correctness within seven (7) days upon receipt of a corresponding request from the Provider.
(4) The Customer is obliged to make proper data back-ups on a regular basis. This also applies if special security measures have been agreed upon by the parties.
(1) If no other agreement has been reached, the Provider shall be entitled to demand payment in advance for all services ordered by the Customer for the respective period. The Provider can make his service dependent on the first receipt of payment.
(2) Should the Provider be commissioned by the Customer to provide services that exceed the duties and responsibilities detailed in these Terms and Conditions and in the service description (e.g. software-configuration, correction of errors or problems etc., that were not caused by the Provider) the Provider shall be entitled to demand adequate remuneration. In this case, a standard payment according to the price list of the Provider shall apply.
(3) The Provider can adjust the prices at any time according to market developments. A price increase requires the consent of the Customer. Consent is deemed to have been given unless the Customer objects to the price increase within 4 weeks of receipt of the notification of change. The Provider undertakes to inform the Customer of the consequences of a failure to object with the notification of change.
(4) Payments made by the Customer shall not be refunded except in the case of an effective revocation, in which case, however, the conditions of § 5 para. 5 shall apply. Should the Customer have paid an amount to the Provider, the amount of which exceeds the payment amounts due up to the end of the contract term and owed by him for the services ordered by him up to that point, it is agreed that the remaining amount does not expire, but that it is used - instead of a refund - as a credit for the provision of further / new services, which the Customer can order from the Provider at any time.
(5) If the Customer chooses the payment method "direct debit" or a payment option of a payment service provider (e.g. PayPal or Skrill), he hereby agrees that any amounts resulting from the services of the Provider will be debited from his account. These monetary amounts can be:
- set-up fee
- package/server/housing/bandwidth charge
- domain costs
- costs due to additional traffic used
- other costs incurred by the services provided by the Provider, such as technical support
(6) In the case of return debit notes for which the Customer is responsible, the Provider charges a return debit note fee according to the current price list unless the Customer proves that no damage at all or a lower amount has been incurred.
(7) In the case of a failed direct debit, the Customer is generally in default on the day of the failure. If the Customer is in default of payment, the Provider reserves the right to charge the Customer for default costs if these costs were culpably caused by the Customer. This includes interest on arrears at the statutory rate as well as the costs of appropriate legal action, in particular reminder and collection charges, court fees and lawyers' fees. Furthermore, the Provider has the right to interrupt the service contract until full payment has been received. This interruption can also be accompanied by a new allocation of services that are cost-intensive for the Provider and that have been used by the defaulting Customer up to now. In this case, a loss of data cannot be ruled out, for example in the context of a server reallocation to new Customers. For the reactivation of a server or a webspace package, one-time fees according to the current price list shall become due.
(8) The provisions set out in paragraphs (6) and (7) shall also apply in the event of default of payment if the Customer has chosen a payment method via a payment service provider.
(9) Insofar as a contract has been concluded with the Customer without an obligation to pay in advance or if other services subject to payment are provided by the Provider which are not covered by the above provisions, all fees are due for payment fourteen (14) days after the invoice is issued without deduction, plus statutory VAT where applicable.
(1) Unless otherwise agreed between the parties, all webhosting packages ("webspace") and colocation services and domains offered by the Provider (meduza) assume a minimum service period of twelve months with an automatic extension of the agreement for twelve months.
All dedicated server packages and VPS packages offered by the Provider (meduza) assume a minimum service period selected by the Customer when placing the order with an automatic extension of the contract and the corresponding services for the minimum service period chosen by the Customer.
Once the payment which had been made by the Customer in advance for the agreed term has expired the contract is automatically terminated.
(2) Terminations have to be made by the Customer by using the meduza-customer login (https://my.meduza.ch), alternatively they have to be communicated to the Provider in text from (e.g. telefax or email).
(3) The right to terminate for good cause remains unaffected to either party. An important reason for termination shall in any case exist if the Customer is in default with a payment obligation despite a reminder or culpably violates the regulations in §§ 2, 3, 6 and 7.
(4) The termination of the agreements between the Provider and the Customer has no influence on the registration of an internet domain and the corresponding contract concluded with the registration authority. As far as the Customer wants to cancel the registration contract, this has to be declared explicitly to the Provider (see § 8).
(5) In the event that the Customer is a consumer within the meaning of § 13 BGB and exercises his right of revocation, the following shall apply:
Right of withdrawal
You have the right to revoke this contract within fourteen days without giving reasons. The revocation period is fourteen days from the date of conclusion of the contract. To exercise your right of revocation, you must send us a clear declaration (e.g. a letter, fax or e-mail) to
Via Sirana 40, Lugano, Switzerland
Tel.: International: +1 (917) 900-0443
Tel.: Europe : +33 6 99 08 80 48
Tel.: Switzerland: +41 766976 488
about your decision to revoke the contract. You can use the following sample revocation form, which is not mandatory. In order to comply with the revocation period, it is sufficient to send the declaration about your decision to revoke before the end of the revocation period.
Consequences of revocation
If you revoke this contract, we shall refund to you all payments we have received from you without delay and at the latest within fourteen days of the day on which we receive notification of your revocation of the contract. We will use the same means of payment for the repayment as you used for the original transaction, unless expressly agreed otherwise with you. If you have requested that the services should commence during the cancellation period, you shall pay us a reasonable amount corresponding to the proportion of the services already provided by the time you inform us of the exercise of the right of cancellation in respect of the contract compared with the total amount of services provided for in the contract. This is true in particular for yearly costs of ordering Internet domains. The reason for this is that these Internet domains are ordered individually according to the customer's wish from the responsible registry and such orders have to be paid by the provider for one year in advance. This is why advances rendered by the customer will be withheld, in general. Due to the installation and start of operation of the hosting services ordered by the customer (setup and configuration of the web space or server, the domain or the colocation space as well as the Internet uplink required, setup of upgrades, etc.), which the provider is contractually obligated to perform, the provider explicitly reserves the right to demand appropriate compensation for lost value if the costs for the services rendered by the provider in relation to the total services intended for the contract are not covered by advances made by the customer.
End of the right of withdrawal
Sample revocation form
If you wish to revoke the contract, please fill out this form and return it to the following address:
(1) The Customer expressly assures that the provision or publication of web page content created either by himself and/or web pages created for him by the Provider based on information provided by the Customer neither infringes German law nor any other law applicable in the Customer’s country of residence, in particular copyright, data protection and competition law. Furthermore, the Customer assures that the contents provided or published by him/her are not contrary to common decency, do not contain pornographic or obscene material, incite racial hatred, violate human dignity, endanger children or adolescents, or are insulting or discriminatory. This also applies to websites of third parties to which the Customer creates a link or has a link created.
(2) If the Provider is requested by third parties to change or delete contents of web pages because they allegedly violate third party rights, the Provider will immediately inform the Customer and request a statement. If the Customer does not respond within a reasonable period of time or if the statement does not sufficiently refute the accusation, the Provider reserves the right to block server access until the matter has been clarified. In this case, the Provider is also entitled to block web space packages or server or to exclude them in another suitable way from access by third parties. The Customer's payment obligations remain unaffected in this case
(3) The subsections above are also applicable for all other products offered by the Provider which are suitable for publishing data, such as VPS or colocated server.
(1) All rights to the services of the Provider made available during the term of contract, specifically software, know-how, trademarks or other industrial property rights remain expressly and unrestrictedly with the Provider. During the term of contract, the Customer is entitled to a non-transferable, non-licensable right of use within the scope of the agreed services. This also applies in the event that Customer-specific adaptations have been made.
(2) Insofar as the agreed services require the use of industrial property rights or copyrights of third parties, their provisions shall apply additionally in any case. This also applies to open source software; the Provider shall make the conditions of such software available to the Customer upon request.
(3) In any case, the provisions pursuant to §§ 17 and 18 of these terms and conditions apply.
(1) Should domain registration or domain hosting form part of the services offered to the Customer, the Provider shall act only in the capacity of mediator between the Customer, DENIC, InterNIC or other domain registration authority. Agreements with such organizations only create rights and obligations for the Customer. In this case, all terms and conditions of the respective registrar shall also become part of the contract without this requiring a separate agreement.
(2) The Provider has no influence on the allocation of domain names. He therefore cannot warrant that the registered domain names are not subject to claims by third parties or that they are unique or permanent. This also applies to sub-domains allocated within the Provider's domain.
(3) If the Customer should be requested by a third party to surrender a domain because it may infringe third party rights, he shall inform the Provider immediately. In such cases the Provider shall be entitled to surrender the Internet domain on behalf of the Customer.
(4) If the Customer wishes to terminate a domain registration, he must notify the Provider in writing at least three months before the end of the registration period. If this notification is omitted, the registration will continue according to the regulations of the registry.
(5) In the event of termination of the contract with the Provider, for any reason, the Customer is obliged to ensure that the domain is moved in good time. If this does not take place, the Provider can transfer the administration of the domain to the registry or, after requesting a statement from the Customer, cancel it if no Customer reply is received.
(1) If the provision of e-mail addresses or e-mail services forms part of the services offered by the Provider, the limitations set out in § 8 (2) shall apply analogously to e-mail addresses provided for the Customer. The Provider reserves the right to delete the Customers e-mail messages if they are not retrieved from the mail server within four (4) weeks of receipt.
(2) If provision of access to public discussion forums (newsgroups) forms part of the services offered by the Provider the time period over which public news is stored shall depend upon operational considerations of the Provider.
(3) The Provider shall not be responsible for the e-mail addresses he provides; their use and management is outside the control of the Provider. In the case of misuse, the Provider shall be entitled to suspend all or individual e-mail addresses. The Customer shall be informed immediately about such measures.
(1) For webspace-packages, the following applies: The Customer must ensure that his web site is designed such that the server is not excessively loaded, e.g. caused by CGI/PHP scripts requiring considerable computing power or above average memory usage. Excessive loading shall be defined as such usage of the aforementioned resources such that the operation of a meduza server is noticeably impaired or even crashes. The Provider reserves the right to prohibit Customers or third parties from accessing pages that do not comply with the aforementioned requirements.
(2) If no other agreement has been reached, the following content is forbidden:
- Unsolicited bulk messages (spam e-mails) or web pages that are connected in some way with spamming,
- All scripts and applications that may impair and/or disrupt the function of the server
(3) For dedicated, colocated and virtual server, the following applies: If no other agreement has been reached, the following content is forbidden:
- Unsolicited bulk messages (spam e-mails) or web pages that are connected in some way with spamming,
- IRCd, the service for Internet Relay Chat,
- All other scripts and applications that may impair and/or disrupt the function of the server or other server
(4) Should clause 1 or 2 be applicable, the Provider reserves the right to immediately suspend the webspace package or server. This course of action will also be implemented should other sites stored on the server or other server within the network of the Provider be affected by the Customer's site or server. The Customer shall be informed about any such suspension.
(5) The Provider reserves the right to immediately suspend of any server or webspace package on which any kind of proxy service, such as VPN or TOR, is operated, for which the Provider has knowledge of abuse or fraudulent or unlawful use.
(6) In case of such a suspension, solely the Customer, not the Provider shall be accountable for infringements of contracts. In any case the Provider's claim of payment of remuneration remains, for the entire contract period.
The following applies for server offers (like dedicated, colocated and virtual server):
(1) The Provider concedes complete and sole administration-rights on rented/colocated server to the Customer. Only the Customer knows the individual administration-password of the server, not the Provider. The Provider is therefore unable to administrate the rented/colocated server. Hence the Customer is solely and entirely responsible for administration and security of his server, at his own expenses and risks. It is his duty to install necessary security-software and to inform himself constantly regarding security issues as well as to fix such by himself. Installation of maintenance software or other software does not absolve the Customer from this duty. It is the Customer's duty to configure his programs in such a way that they are restarted automatically when the hardware or the operating system is restarted. § 2 (5) applies.
(2) If necessary and reasonable, the Customer will assist at simple configuration changes, such as entering the login-data anew, or simple changes of his systems.
(1) The Provider guarantees an annual mean 95%-availability of the physical connection of his webspace packages, dedicated, colocated and virtual server. Exempted hereof are periods of time in which the server are not reachable over the internet due to technical or other problems which do not lie within the Provider's sphere of influence (force majeure, faults of third parties or of the Customer) and for previously announced maintenance work of the Provider.
(2) The server located in the datacenters of the Provider are connected to the internet over a complex network infrastructure. Data traffic is routed over different active and passive network components (routers, switches, and other devices), which have a certain maximum data throughput. Therefore, data throughput capacities can be limited for particular server at particular points and not be equal to the maximum allowed data throughput of the respective switch-port. Unless otherwise agreed, the Provider cannot give a guarantee for the amount of actually available bandwidth for individual server, but makes available bandwidth depending on the technical capability of the datacenter, taking into account obligations towards other Customers.
(3) Customers can use the server of the Provider or own colocated server for an incalculable number of different applications and use various software programs for this purpose at their own discretion. Therefore, millions of different configurations are possible. The wide range of possible applications makes it impossible for the Provider to guarantee the usability and compatibility of server regarding specific applications.
(4) Except for the specifications made in the service description, the Provider cannot guarantee specific server resources being available for individual webspace packages and VPS. Rather, the Provider makes available resources depending on the technical possibilities, taking into account obligations towards other Customers.
(1) is The Provider renders its services in conformity with the EU regulation 2016/679 (General Data Protection Regulation; GDPR), with the German Federal Data Protection Act (BDSG) and the data protection laws of the states (Lander) as well as with the German Telemedia Act (TMG).
(3) To the extent that further personal data is processed via the services of the Provider on behalf of the Customer and this qualifies as data processing, the Provider is a processor as defined in Art. 28 GDPR. For this purpose, the parties conclude the agreement for processing of data attached as Annex 1; if the processing is performed in a data center outside the EU, the provisions in accordance with Annex 3 additionally apply.
(4) The Provider expressly points out that the protection of data privacy for data transmission across open networks such as the Internet cannot be fully guaranteed with current technology. The Customer is aware that the Provider technically might be able to see the data stored by the Customer on his server at any time. This depends on the ordered hosting product. Other unauthorized Internet users may also be technically able to interfere with network security and control the flow of messages.
(1) The Provider is liable for damages grossly negligently or intentionally caused by him or his vicarious agents (third parties pursuant to § 278 of the German Civil Code - BGB) as provided by law.
(2) In cases of violation of essential contractual obligations (essential are those contractual obligations which are essential for the performance of the agreed services so that the Customer can regularly rely on their provision) caused by slight negligence which lead to financial losses liability shall be limited to a liability insurance procured by the Provider (with regard to the amount of damages) and to predictable, imminent losses (with regard to the nature of damages). In all other respects liability is excluded.
(3) The limitations of liability stated above do not concern claims of the Customer regarding product liability and especially do not apply for damage caused to the Customer's health, or loss of life, fraudulent misrepresentation, or the violation of a guarantee or warranted quality attributable to the Provider.
(4) The liability regulations of § 44a TKG (Telecommunications Act) remain unaffected, to the extent that it is applicable.
The Customer indemnifies the Provider against all possible third-party claims arising from any illegal action by the Customer or from errors in the information provided by the latter. This applies in particular to copyright, data protection and competition law violations as well as violations of the obligations under §§6, 7, § 8 and § 9 of the Terms and Conditions. meduza shall not be obliged to check the Customer's websites for possible legal violations.
(1) The law of the Federal Republic of Switzerland exclusively applies, excluding the provisions of private international law and the Convention on International Sale of Goods (CISG).
(2) Any dispute resulting from this agreement shall be referred solely to a court of competent jurisdiction at the place of business of the Provider, unless the Customer is a consumer.
(1) All communications by the Provider may be sent to the Customer by electronic means. This also applies to invoices sent for services provided under the agreement.
(2) The Customer may only set off claims against the Provider if the entitlement is recognized by the Provider or confirmed by a final judgement.
(3) The Provider is authorized to list the Customer as a reference-Customer without being obliged to pay a refund.
(4) The Provider has the right to change the subject terms of this contract as long as the changes are reasonable, taking into account the interests of the Provider. The consent of the Customer with such amendments shall be deemed to be given if he does not dissent within 4 weeks after receipt of the message informing him about the change. The Provider is obliged to inform the Customer about the repercussions of not dissenting within 4 weeks.
(5) Should one or more provisions of these General Terms and Conditions be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. In this case, the parties will agree on a change that corresponds to what was actually and economically intended. The same applies in case of a contractual gap.
(6) We are not obliged to participate in dispute settlement proceedings before a consumer arbitration board and we have chosen not to do so. The link to the platform for online dispute resolution of the European Commission can be found on our website under the imprint (”company details”).
(1) Provided that the Customer has selected a Microsoft software product (e.g. Windows Server, SQL Server etc.) for installation on his server, the current provisions of the "Microsoft Service Provider Use Rights" (SPUR) and the "End User License Terms" (EULT) which apply within the context of the Microsoft "Service Provider License Agreement" to the Provider shall additionally apply, if the Customer is able to influence the use of the software or could infringe the provisions through use of the software. The Customer thus agrees to comply with the corresponding provisions and is responsible for observing them correctly. These provisions may result in the Customer’s possibility to use licenses acquired elsewhere with the server of the Provider being restricted or entirely removed.
(2) The Provider will supply a license for all Customer orders of Microsoft software products considering the Microsoft Service Provider License Agreement. This license allows the monthly use of the Microsoft software product on the server and limits its utilization permission with regard to some aspects. The Customer particularly must not use Microsoft products which require additional or other licenses according to SPUR or EULT. The Customer is obligated to comply with all these provisions on his own and is liable for violations against this usage policy to the Provider and Microsoft.
These provisions may be viewed at the following addresses at any time:
The following applies additionally if colocation-/housing-/bandwidth-offers are subject of the contract:
(1) The Provider is obliged to enable a connection to the internet and a storing position for the server according to the respective product description.
(2) The Provider does not provide any guarantee for hardware damage which can result, for example, from transport to the datacenter, back to the Customer or during going concern.
(3) The Provider grants the Customer access to his server-system during the office-times published on the homepage of the Provider in order to allow the Customer to work on the server-system. This requires, however, a written request which has to be addressed to the support-department of the Provider, at least 48 hours in advance. To access the server-system, the ID Card of the Customer or a statement of authority signed by the Customer is necessary. During the Customer's presence in the datacenter, the Provider has to fulfill various duties of supervision and control. Since this requires the attendance of the Provider's personnel, a fee will be charged according to the price list valid at that time per started hour according to the price list valid at that time. With prior agreement, the Provider can abstain from this at his sole discretion. If the appointment is not kept, the Customer has to cancel it at least 2 hours in advance (if during office hours) or at least 12 hours in advance (if outside of office hours). If there is no cancellation within the stated time periods and the appointment is not kept, the Customer will be billed according to the price list valid at that time.
(4) Reboots are provided for free by the Provider at the Customer's request unless stated otherwise in the product description and unless the number of reboots per month does not create disproportional effort.
(5) Other technical support services are not included with the offer. If the help of a technician is required, costs according to the price list per started 15 minutes incur.
(6) The Provider guarantees the following specifications regarding the availability of peripherals (air conditioning, electricity):
- The data floor, on which the server are located, is equipped with sufficient air conditioning and electricity,
- The Provider is responsible for correct and adequate maintenance of technical devices of the datafloor in order to guarantee going concern,
- In case of an outage / non-availability of electricity, UPS or air conditioning, the Provider will immediately, at the latest during the next working day, undertake all measures necessary to restore going concern
(7) Claims resulting from operational outage of peripherals (air conditioning, electricity) can only be asserted in case of violation of the guarantees mentioned in clause 6 up to the monthly amount for the colocated server and only if the outage has been lasting for over 72 hours (continuously, without breaks). If financial losses are claimed, these have to be substantiated and will be redeemed after verification up to an amount of € 500.00.
In case of an bandwidth-outage such claims are only valid if the guarantees regarding bandwidth made in § 12 (1) are undercut.
(8) The Provider does not assume liability for damage or loss of data.
(9) The Customer is responsible that the colocated equipment is flawless so that no negative impact for other devices can emanate from it.
(10) The Customer is liable for possible damages emanating from the server and is responsible for an adequate insurance.
(11) If the Provider intends to move to a different server location, the Provider informs the Customer immediately, at least one month in advance. Each party has a special termination right and can cancel the performances specified in this contract that are provided in the location which will change using written form. The termination will come into effect on the day the location is about to change. Given that the Provider has informed the Customer accordingly and neither party has made use of their special termination right, the contract continues unchanged at the new location. This subsection does not apply if the reason for the change of the location is a termination without notice of the rental agreement between the Provider and his lessor. In this case, only the following subsection (12) applies.
(12) The Customer is aware of the fact that the Provider himself has to rent the datafloor. If this contract concerns the housing and bandwidth provided in the datacenter, the contract concerning this performance ends automatically at the point of time when the rental agreement between the Provider and his lessor ends by means of an instant dismissal and the Provider has been unable to find a suitable new location. The Provider will inform the Customer immediately. Other agreements remain unaffected.
(13) If the server of the Customer needs more electricity or space than specified in the chosen offer, additional housing-modules are needed - when only noticed later, this change will be retroactive. The number and price of the required additional modules are specified in the price list of the Provider.
(14) The Provider reserves the right to adjust the price for housing accordingly to an increase of rental- additional and electricity-expenses, under the following conditions:
- The Customer is informed immediately about such a change,
- The increase takes place solely in order to pass the costs mentioned above and without any surcharge,
- The change takes place at the same point of time the increase takes place,
- The Customer has a special cancellation right for bandwidth and housing in the affected datacenter: He can cancel affected subscriptions within three months upon receipt of the message informing him about the change. This special cancellation right is valid during the mentioned three months-period. If it is not used, the contract continues under the adjusted conditions
(15) The Customer agrees to the fact that the Provider opens the case of the colocated server and adds a 'Web Resetter' to the reset-pin of the mainboard. Using this device, the Provider is able to restart the server of the Customer at any time if the Customer requests it. Furthermore, the Customer is able to reboot the server himself using the aforementioned device if he orders the necessary upgrade. In case the server is returned to the Customer, the Provider will remove the 'Web Resetter' again.
(16) The Customer is aware of and agrees to the fact that the Provider publishes (Live-)video material and static pictures of his datacenter and that these videos/images might picture equipment or server of the Customer.
(17) If the Customer is in delay of payment for any performance between him and the Provider, the Provider has the right to keep the server and/or equipment of the Customer in his possession until payment is made in full.
(18) The Customer grants the Provider a lien on colocated server and other equipment to back claims resulting from the contract between the Provider and the Customer. The lien only expires once all debt resulting from the contract between the Provider and the Customer has been paid and the contract has ended. Starting with the inception of treaty, the Customer has to inform the Provider immediately should the server not be or cease to be his property, be pledged or assigned. If the Customer is entitled to other rights to the colocated server, especially expectant right, he assigns these to the Provider in order to back debts resulting from the contract between the Provider and the Customer.
(19) The lien and the contractual lien can also be asserted for claims resulting from former services or other claims.
(20) If the Provider exercises his lien, it shall suffice to send a written notice to the last known address of the Customer. No further notice is required.
(21) Legal liens are unaffected by these terms.
(22) If the Customer does not retrieve his server / other equipment within four weeks after the contract has ended, the Provider will stock the items for a fee according to the price list.
This agreement is concluded between the Provider (meduza GmbH; below also named „supplier“) and the Customer (below also named „client“; together named „contracting parties“) in addition to the existing main contract which is based upon the Customer’s order and the Provider’s general terms and conditions. In case the Provider has to process personal data for which the Customer is responsible according to regulation 2016/679 (General Data Protection Regulation; GDPR), while fulfilling his duties arising from the main contract, the contracting parties precautionary conclude the following agreement for processing of data corresponding to Article 28 Paragraph 9 GDPR in order to substantiate the mutual rights and duties in case of a possible data processing by the Provider.
The subject matter and the duration of the contract result from the current service description and the general terms and conditions in force at the time of placing the order.
- Nature and purpose of processing of personal data by the supplier for the Customer are precisely defined in the current service description and the general terms and conditions in force at the time of placing the order.
- The undertaking of the contractually agreed processing of data shall be carried out exclusively within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA). Each and every transfer of data to a state which is not a member state of either the EU or the EEA requires the prior agreement of the Customer and shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled. When ordering, the Customer has the option to choose between the server locations USA or EU or to leave the decision to the Provider. Consent to processing in a third country is granted unless the Customer chooses the EU server location when ordering.
- The subject matter of the processing of personal data comprises the following data categories:
- Personal master data (key personal data), e.g. name, address
- Company data, e.g. employees, addresses, bank details, tax data
- Contact data, e.g. telephone, e-mail
- Key contract data, e.g. server data, login data
- Customer logs, e.g. login history, used IP-addresses
- Process data, e.g. e-mail tickets, network disturbances
- Customer history
- Contract billing and payments data
- Disclosed information, e.g. credit reference agencies or from public directories
- The categories of data subjects comprise employees and freelancers of the client as well as his customers, potential customers, website visitors, suppliers and other persons whose personal data have been stored on his servers.
- The contracting parties agree upon the technical and organizational measures constituted in Annex 2.
- The supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. [details in Annex 2]
- The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.
The supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Customer, but only on documented instructions from the Customer. Insofar as a data subject contacts the supplier directly concerning a rectification, erasure, or restriction of processing, the supplier will immediately forward the data subject’s request to the Customer.
In addition to complying with the rules set out in this contract, the supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the supplier ensures, in particular, compliance with the following requirements:
- Appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. His / her current contact details are always available and easily accessible on the website of the supplier.
- Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this contract, unless required to do so by law.
- Implementation of and compliance with all technical and organisational measures necessary for this order or contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Annex 2].
- The Customer and the supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
- The Customer shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this contract. This also applies insofar as the supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the processing of personal data in connection with the processing of this contract.
- Insofar as the Customer is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the contract data processing by the supplier, the supplier shall make every effort to support the Customer.
- The supplier shall periodically review the internal processes and the technical and organizational measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
- Verifiability of the technical and organisational measures conducted by the Customer as part of the Customer’s supervisory powers referred to in item VIII of this contract.
- Subcontracting for the purpose of this agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Customer's data, even in the case of outsourced ancillary services.
- In principle the Customer agrees that the supplier may contract with carefully selected subcontractors in accordance with a contractual agreement pursuant to Art. 28 Para. 2-4 GDPR. The supplier shall notify the Customer of such outsourcing to subcontractors in writing or in text form within a reasonable period of time in advance. Until the transferal of data, the Customer may object in writing or in text form to a subcontractor not listed under VII.3 for good cause. Good cause shall be deemed to exist in particular if there are serious doubts that the subcontractor can guarantee adequate protection of the data to be processed. In the event of such an objection, the contracting parties undertake to work towards an amicable settlement. In particular, the supplier shall disclose how the processing of data of the Customer or access to the infrastructure of the subcontractor can be excluded, while the supplier continues operations and provides the services. If no solution acceptable to the Customer is found within 4 weeks, the Customer shall have a special right of termination.
In accordance with III.2, the Customer has the option of choosing between the server locations USA or EU when ordering or to leave the choice to the Provider. If the Customer does not choose the server location EU when ordering, the Customer also agrees to processing in a third country as well as to the following subcontractors:
USA, St. Louis/Missouri
Data Center Operator
- The transfer of personal data from the Customer to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.
- If the subcontractor provides the agreed service outside the EU/EEA, the supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures. These are listed in Annex 3.
- All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.
- The Customer has the right, after consultation with the supplier and only during normal working hours without disturbing operations, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the supplier by means of random checks. The audits have to be announced to the supplier with a lead time of no less than 10 working days (Mon-Fri - not 24 and 31 December), in the case of a data security event of not less than 5 business days. The Customer must take proper due care in the course of the business process, as well as to keep the supplier's business and business secrets. Any audits by a third party on behalf of Customer are subject to supplier's prior written consent. If the Customer, with the supplier's consent, contracts a third party to carry out the inspection, the Customer must obligate the third party to secrecy in writing, unless the third party is subject to a professional secrecy obligation. At the request of the supplier, the Customer shall immediately submit the obligation agreements with the third party to the supplier. The Customer may not contract any of the supplier's competitors with the inspection.
- The supplier shall ensure that the Customer is able to verify compliance with the obligations of the supplier in accordance with Article 28 GDPR. The supplier undertakes to give the Customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
- The supplier will claim remuneration for enabling Customer inspections.
- The supplier shall assist the Customer in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:
- Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
- The obligation to report a personal data breach immediately to the Customer.
- The duty to assist the Customer with regard to the client’s obligation to provide information to the data subject concerned and to immediately provide the Customer with all relevant information in this regard.
- Supporting the Customer with its data protection impact assessment.
- Supporting the Customer with regard to prior consultation of the supervisory authority.
- The supplier will claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the supplier.
- The Customer shall immediately confirm oral instructions (at the minimum in text form).
- The supplier shall inform the Customer immediately if he considers that an instruction violates Data Protection Regulations. The supplier shall then be entitled to suspend the execution of the relevant instructions until the Customer confirms or changes them.
- Copies or duplicates of the data shall never be created without the knowledge of the Customer, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
- After conclusion of the contracted work, or earlier upon request by the Customer, at the latest upon termination of the main contract, the supplier shall destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
- Documentation which is used to demonstrate orderly data processing in accordance with the contract shall be stored beyond the contract duration by the supplier in accordance with the respective retention periods. It may hand such documentation over to the Customer at the end of the contract duration to relieve the supplier of this contractual obligation.
- The term and termination of this agreement shall be governed by the terms of the term and termination of the main contract. A termination of the main contract automatically results in a termination of this agreement. An isolated termination of this agreement is excluded. A termination for important reasons remains unaffected.
- Termination requires the written form to be effective.
- The court of jurisdiction for all disputes arising from this agreement shall be Munich.
- German law shall apply to this agreement, with exclusion of international private law.
- Changes and additions to this agreement and all of its components - including any warranties of supplier - require a written agreement and the explicit reference to the fact that they constitute amendments or supplements to these terms. This also applies to waiving the requirement for making such changes in writing.
- The Customer as well as each user agrees that the supplier may send system or product relevant information by e-mail. This consent can be revoked at any time.
- Should individual provisions of this agreement be or become invalid in whole or in part, the validity of the remaining provisions shall remain unaffected thereby. The contracting parties undertake, in this case, to replace the invalid provision with an effective provision which comes as close as possible to the economic purpose of the invalid provision. The same applies to any gaps in this agreement.
- Physical Access Control
No unauthorized access to data processing facilities, e.g.: chip cards, keys, electronic door openers, facility security services, alarm systems, video/CCTV systems
- Electronic Access Control
No unauthorized use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication
- Internal Access Control (permissions for user rights of access to and amendment of data)
No unauthorized reading, copying, changes or deletions of data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events
- Isolation Control
The isolated processing of data, which is collected for differing purposes, e.g. multiple client support, sandboxing
- Data Transfer Control
No unauthorized reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: encryption, Virtual Private Networks (VPN), electronic signature
- Data Entry Control
Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, document management
- Availability Control
Prevention of accidental or willful destruction or loss, e.g.: backup strategy (if explicitly ordered by Customer), Uninterruptible Power Supply (UPS) at the data center Nuremberg, virus protection, firewall, reporting procedures and contingency planning
- Rapid Recovery (Article 32 Paragraph 1 Point c GDPR)
- Data Protection Management
- Incident Response Management
- Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
- Contract Control
No third-party data processing as per Article 28 GDPR without corresponding instructions from the Customer, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks.
These ONLY become effective if the Customer explicitly agreed to processing in a third country.
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
(the data exporter)
(the data importer)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);
b) ‘the data exporter’ means the controller who transfers the personal data;
c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
(1) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
(2) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
(3) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(4) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The data exporter agrees and warrants:
a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
e) that it will ensure compliance with the security measures;
f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
j) that it will ensure compliance with Clause 4(a) to (i).
The data importer agrees and warrants:
a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
d) that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- any accidental or unauthorised access; and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
(1) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
(2) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
(3) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(1) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
(2) he parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
(1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
(2) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
(3) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely …
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
(1) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
(2) The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(3) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely …
(4) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
(1) The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
(2) The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.