Allgemeine Geschäftsbedingungen und Datenschutz

User Terms of Service
Customer Terms of Service
General Data Protection Regulation

Agreement on Data Processing Pursuant to Art. 28 of the EU
General Data Protection Regulation (GDPR)


- hereinafter referred to as "Client" -


Taskworld Deutschland GmbH

C/O. WeWork, Hermannstraße 13, 20095,

Hamburg, Germany

- hereinafter referred to as "Contractor" -

- Client and Contractor each hereinafter referred to as a "Party" and jointly referred to as the "Parties" -


  1. Subject matter of the contract and contents of the order
  2. Technical and organisational measures
  3. Rectification, limitation and erasure of data
  4. Quality assurance and other duties of the contractor
  5. Subcontracting relationships
  6. Control rights of the client
  7. Power of instruction of the client
  8. Deletion and return of personal data
  9. Duration of order, termination
  10. Applicable law, place of fulfillment, place of jurisdiction
  11. Miscellaneous
  12. Appendices
  13. Appendix 1 - Type and purpose of processing, type of data, categories of data subjects

    Appendix 2 - Technical and organisational measures

  1. Subject matter of the contract and contents of the order

    1. The object of the contract results from the agreement concluded between the parties on the provision of a service by the Contractor to the Client, to which reference is made here (hereinafter referred to as “performance agreement”). This contract for processing (the “Contract”) specifies the data protection obligations of the contracting parties. This contract shall apply to all activities related to the pro- cessing where the Contractor or his employees may come into contact with personal data provided to the Contractor by the Client.
    2. The type of data processed, the categories of data subjects, and the type and purpose of the collection, processing and use of personal data by the Contractor for the Client are specified in detail in Appendix 1 to this contract.
    3. Unless otherwise expressly stipulated in this contract, the contractually agreed data pro- cessing shall be performed exclusively in Germany, a member state of the European Union or another state party to the Agreement on the European Economic Area (EEA). Any relocation to a third country may take place only if the special conditions of Art. 44 et seq. of the GDPR are fulfilled.
  2. Technical and organisational measures

    The Contractor shall provide the security pursuant to Art. 28 para. 3 lit. c, 32 GDPR in particular in conjunc- tion with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and mea- sures to ensure a level of security appropriate to the risk in terms of confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purpose of the processing as well as the variable probability and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account. The Contractor shall document the individual measures in a measure concept in Appendix 2.

    1. The technical and organisational measures are subject to technical progress and ongoing development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, the safety level of the defined measures must not be undercut. Any significant changes must be documented.
    2. The Contractor shall regularly monitor the internal processes as well as the technical and organisational measures to ensure that the processing in his sphere of responsibility is carried out in accor- dance with the requirements of the applicable data protection law and that the rights of the data subject are protected.
  3. Rectification, limitation and erasure of data

    1. The Contractor may not rectify, delete or restrict the processing of the data processed on behalf of the Client without authorisation, but only in accordance with documented instructions from the Cli- ent. If a person concerned directly addresses the Contractor in this respect, the Contractor shall immediately forward this request to the Client.
    2. The Contractor shall support the Client with suitable technical and organisational measures to ensure the rights of affected parties to be forgotten, to rectification, to data portability and to access to information. For support services which are not owed according to the performance agreement, the Contrac- tor can claim remuneration.
  4. Quality assurance and other duties of the Contractor

    1. The Contractor shall only employ personnel for the performance of the work who are under an obligation of confidentiality and who have been familiarised beforehand with the data protection provi- sions relevant to them. The Contractor and any person subordinated to the Contractor who has access to personal data may process such data only in accordance with the instructions of the Client, including the powers granted in this contract and in the performance agreement, unless they are legally obliged to pro- cess them.
    2. The Contractor shall support the Client in complying with the obligations set out in Articles 32-36 GDPR regarding the security of personal data, reporting obligations in the event of data breakdowns, data protection impact assessments and prior consultations. These include, among others:
      1. the obligation to immediately report violations of personal data to the client,
      2. the obligation to support the client within the scope of his duty to inform the affected parties and to make all information relevant in this context immediately available to him,
      3. assisting the Client in his data protection impact assessment,
      4. the support of the client within the framework of prior consultation with the regulatory authority.
    3. For support services which are not included in the performance agreement or which are due to misconduct on the part of the Client, the Contractor may claim remuneration.
  5. Subcontracting relationships

    1. For the purposes of this provision, subcontracting is defined as services which relate directly to the provision of the principal service. This does not include auxiliary services which the contrac- tor uses like, for example, telecommunications services, postal/transport services, maintenance and user services or the disposal of data storage media as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. The Contrac- tor is, however, obliged, even in the case of outsourced ancillary services, to make appropriate contractual agreements in accordance with the law and to take control measures in order to guarantee data protection and the security of the Client’s data.
    2. The Customer agrees to the contracting of subcontractors under the condition of a contractual agreement between the Contractor and the subcontractor in accordance with Art. 28 para. 4 GBPR. The consent expressly includes, proviso of the aforementioned conditions, the use of the subcon- tractors named below.
    3. The Contractor makes use of infrastructure and platform services of the Amazon Web Services platform operated by Amazon Web Services, Inc. for the provision of the software solution in accordance with the performance agreement. The processing is done on a server of Amazon, Inc. in Frankfurt / Main (Germany). Contracts exist between Taskworld and Amazon Web Services Inc., regarding the use of the Amazon Web Services service and processing, which oblige Amazon Web Services Inc. to protect personal data. Detailed information from Amazon Web Services Inc. about Amazon Web Services Inc.’s compliance with data protection requirements can be found at
    4. The Contractor shall inform the Client in advance of any intended change with regard to the involvement or replacement of other processors. The Customer may object to this change vis-à-vis the Contractor within 14 days of receipt of the information by the Client. An objection may not be lodged without an interest of the Client which outweighs the interests of the Contractor.
    5. If the subcontractor performs the agreed service outside the EU/EEA, the Contractor shall ensure the legal admissibility of data protection by taking appropriate measures.
  6. Control rights of the Client

    1. The Client shall have the right, in consultation with the Contractor, to carry out inspections or to have them carried out by inspectors to be appointed in each case. The Client shall have the right to convince himself of the Contractor’s compliance with this contract at the Contractor’s premises by means of random checks, which are generally to be notified in good time.
    2. The Contractor shall ensure that the Client can satisfy himself that the obligations of the Contractor pursuant to Art. 28 GDPR are being complied with. The Contractor undertakes to provide the Client upon request with the necessary information and, in particular, to prove the implementation of the technical and organisational measures.
    3. Evidence of such measures, which do not only involve the specific order, can be provided by
      1. Compliance with approved rules of conduct pursuant to Art. 40 GDPR,
      2. Certification according to an approved certification procedure in accordance with Art. 42 GDPR,
      3. Current certificates, reports or report extracts from independent entities (e.g. chartered accountants, internal auditors, data protection officers, IT security department, data protection auditorium, quality audit),
      4. a suitable certification through an IT security or data protection audit (for example according to BSI IT-Grundschutz).
    4. The Contractor can claim remuneration for the facilitation of controls by the Client.
  7. Powers of instruction of the Client

    1. Oral instructions shall be confirmed by the Client without delay (at least in text form).
    2. The Contractor shall inform the Client immediately if he is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to suspend the execution of the respective instruction until it is confirmed or amended by the Client.
  8. Deletion and return of personal data

    1. Copies or duplicates of the data shall not be made without the knowledge of the Client. Excluded from this are backup copies, insofar as they are necessary to guarantee proper data processing, as well as the storage of data, which is necessary with regard to compliance with statutory storage obligations.
    2. Upon completion of the contractually agreed work or earlier upon request by the Client - at the latest upon termination of the performance agreement - the Contractor shall surrender to the Client all documents in his possession, processing and usage results as well as data stocks created in connection with the contractual relationship or, after prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion log shall be provided on request. The Contractor’s obligations under this Clause 8.2 shall not apply if there is an obligation to store personal data under EU law or the law of Member States of the EU.
    3. Documentation which serves as proof of data processing in accordance with the order shall be stored by the Contractor in accordance with the respective statutory periods beyond the end of the contract. He may hand them over to the Client to discharge him upon termination of the contract.
  9. Duration of order, termination

    1. The duration of this order corresponds to the duration of the performance agreement and also includes the period after the end of the performance agreement until the complete return or deletion of the data provided to the Contractor by the Client in connection with the execution of the main contract.
    2. The right of each contracting party to terminate this order without notice for good cause shall remain unaffected.
  10. Applicable Law, Place of Performance, Place of Jurisdiction

    1. German law shall apply to this contract.
    2. Place of performance is Hamburg.
    3. The exclusive place of jurisdiction for any disputes arising from this contract shall be Hamburg.
  11. Miscellaneous

    1. Amendments, supplements and additions to this contract shall only be valid if agreed in writing between the contracting parties. This shall also apply to any amendment of this provision of the contract.
    2. Should any provision of this contract be or become invalid, this shall not affect the validity of the remainder of the contract. The invalid provision shall be deemed replaced by a valid provision which comes as close as possible to the economic purpose of the invalid provision. The same shall apply in the event of a contractual gap.


Appendix 1: Type and purpose of processing, type of data, group of data subjects

Annex 2: Technical and organisational measures

Taskworld Deutschland GmbH

C/O. WeWork, Hermannstraße 13, 20095,

Hamburg, Germany

Company Address
Fred MouawadFirst and Last Name:
Managing DirectorPosition:
Date: 25th May, 2018Date:

Appendix 1 - Type and purpose of processing, type of data, group of data subjects

Affected persons and groups of personsAffected persons and groups of persons
In particular:
  • Users of the software solution provided
  • Contractual partners of the Client
  • Employees of the Client
  • Prospective clients.
Type of data or categories of dataType of data or categories of data
In particular:
  • Person master data
  • Communication data (e.g. telephone, e-mail)
  • Contract master data
  • Contract billing and payment data
  • Customer history
  • Planning and control data.
  • Contractor
  • Subcontractors
Type and purpose of processingProvision of software with storage space via the Internet; provision of IT services, in particular support services

Appendix 2 - Technical and organisational measures

Note: Taskworld Deutschland GmbH (hereinafter referred to as “Taskworld”) processes personal data within the scope of this contract exclusively for the fulfilment of service and support obligations arising from the service agreement. All data is stored on the Amazon Web Services platform (see clause 5.2 of the contract; hereinafter referred to as the “AWS platform”). Taskworld accesses the data via a laptop or desktop comput- er provided for this purpose through the employee entrusted with the service provision. A contract exists between Taskworld and Amazon Web Services, Inc. regarding the use of the Amazon Web Services service. Detailed information from Amazon, Inc. regarding Amazon, Inc.’s compliance with the data protection re- quirements can be found at In the following the technical and organizational measures of Taskworld are described.

  1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
    1. Access control

      No unauthorized access to data processing equipment:

      • The only computer with access to the Client’s data shall be kept in locked rooms.
      • Access to these rooms is only granted to the employee responsible for support as long as the computer is switched on.
      • The computer is additionally secured by a Kensington lock.
      • Only the employee responsible for support has a key to the Kensington lock.
    2. Data media control

      No unauthorized reading, copying, modification or deletion of data media:

      • External data media used for data backup are stored separately and secured by an additional lock.
      • Only employees have the key to the data medium.
    3. Access, storage and user control

      No unauthorized reading, copying, modification or deletion within the system:

      • Only one computer shall be set up with access to the Customer’s data, which shall be used exclusively for the purpose of providing support services for the Contractor’s software solution.
      • This computer is secured with a qualified password consisting of at least 8 characters, including at least one special character and one number.
      • The password is changed every 2 months.
      • If the employee is absent from the computer, the password lock is activated immediately.
      • External backup copies on data media are also password protected.
      • The same password must not be used for the computer and the data carrier.
      • Access to data processing systems is permitted only to the employee responsible for support.
      • This is ensured by a user profile with password protection.
      • There are no further authorizations for accessing data processing systems.
    4. Separability

      Separate processing of data collected for different purposes:

      • The data of the client is accessed exclusively within the scope of the order and for the purpose of the support service.
      • The Contractor’s employee providing support processes the Client’s data separately from other data. This is ensured by setting up client accounts.
  2. Integrity (Art. 32 para. 1 lit. b GDPR)
    1. Transport control

      No unauthorized reading, copying, modification or removal during electronic transmission or transport:

      • Date are transmitted/transferred exclusively encrypted and via German servers.
      • A transmission/transfer to external data media is carried out exclusively via protected local connections.
      • Each transmission of data is logged.
      • A transmission/transfer is carried out only for the purpose of backup or for data processing in accordance with the order.
    2. Input control

      Checks to determine whether and by whom personal data have been entered into the data processing systems, or modified, or removed:

      • Only one employee of the Contractor is entrusted with the processing of personal data of the Client within the scope of support.
      • The employee logs every data entry, change or removal.
      • The logs are summarized for each support process and processed in a suitable manner for subsequent review.
      • The processed logs are made available to the Client on request.
    3. Data integrity

      No damage to data due to system malfunctions

      • The integrity of the data is guaranteed by external backup copies on data media.
      • Data processing systems shall be set up within the framework of technical facilities in such a way as to prevent damage to or loss of data.
  3. Availability and Resilience (Art. 32 para. 1 lit. b GDPR)
    1. Availability control

      Protection against accidental or deliberate destruction or loss:

      • The computer used for the support services is equipped with virus protection and a firewall, which are constantly updated.
      • To back up the data, a backup is created at regular intervals on an external data medium.
      • The uninterruptible power supply to the computer and the availability of the data are ensured by using modern hardware, which is maintained regularly.
    2. Rapid recoverability (Art. 32 para. 1 lit. c GDPR);
      • After a malfunction of the data processing systems, all system components are immediately checked for errors and it is determined whether data has been damaged.
      • If the data has been damaged or lost, the data will be recovered from an external data carrier.
      • A report on the extent and remedy of the failure will be prepared for future reference.
    3. Reliability

      Availability of all functions of the system and error message:

      • All data processing systems are regularly updated, checked for errors and maintained. There are regular checks whether the systems used correspond to the current technical standard.
  4. Procedures for Regular Review, Assessment and Evalu-ation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
    1. Data protection management:
      • All employees of the contractor are informed about data protection topics and obliged to comply with data protection regulations.
      • The Contractor’s management shall verify at regular intervals whether the internal procedures comply with data protection requirements and shall take appropriate measures to ensure this. The management is continuously advised by a lawyer on data protection aspects.
      • Access to the Client’s data by the Contractor’s employees shall take place exclusively within Germany and via German servers.
    2. Incident-Response Management:
      • In the event of a security incident that could affect the data processing systems, the Contractor’s management shall be informed immediately by their employees.
      • A data backup is performed if a security incident is suspected on a separate data medium after each data entry or change.
    3. Data protection-friendly default settings (Art. 25 para. 2 GDPR)
      • When selecting the hardware and software used, the Contractor shall ensure that they are compatible with the requirement of data minimisation.
      • When software is installed, components which are not necessary for the use of the software and which can lead to an impairment of the Client’s data are not used.
    4. Order control

      No order data processing within the meaning of Art. 28 GDPR without corresponding instructions from the Client:

      • The Contractor’s employee shall be contractually obliged to process the data in accordance with the Client’s instructions.
      • The powers of the Contractor shall be clearly and exhaustively regulated by contract.
      • Orders and support requests are documented in text form in order to be able to trace the order situation later.
      • The employee responsible for support maintains direct contact with the Client.