Commitment to comply with data protection regulations in accordance with European General Data Protection Regulation (GDPR) for external service providers and external project members
Updated: 27 FEB 2024
You hereby pledge to not engage in unlawful or unauthorized processing of personal data, or to knowing or accidental violation of the security of said processing that may result in destruction, loss, alteration, unauthorized publication, or unauthorized access. Personal data may only be processed in case of given consent, or a contractual or legal regulation allowing for it, or processing being mandatory. GDPR principles for processing of personal data are stipulated in art. 5, sec. 1, GDPR and in essence contain the following obligations:
All data, programs (software), and devices (computer, notebooks and other hardware in this sense) may only be stored, processed, or given out as directed by an authorized department.
- Data, programs, and other information may not be reproduced for any purpose other than business.
- It is prohibited…
… to alter data or programs, to create fake data or programs, and to deliberately use fake or falsified data or programs.
… to make alterations to devices (see above), their configurations and software, that have not been coordinated with or ordered by the client
… to connect own devices to the in-house network. These may only be connected to especially labeled network connections in conference rooms. For this, own devices need to be security checked (virus check, free of spyware, up-to-date patches); the company reserves the right for a spot check by its data security officer.
- Only data required for the performance of a respective task may be accessed. Access to the internet (emails and downloads) may solely be used for the performance of the respective task.
- Transferring personal data to third parties is only admissible if the recipient has an information right based on legal regulations.
- Documents featuring personal data are to be stored confidentially, safely to ensure no third party has access, and are not to be shared with third parties under any circumstances. This includes data stored electronically and analogously. After work for the client has been concluded, all data is to be returned to the client or to be deleted, depending on what has been arranged.
Due diligence must be applied for the protection of personal data in the context of the assigned task; defects are to be reported upon identification. Granted rights shall neither be circumvented nor misused. Access data (user name, password, SMS passcodes) may not under any circumstances be passed on, their loss is to be reported immediately to the distributing authority.
Furthermore, personal data must be
- processed in a manner that is lawful and comprehensible for the data subject;
- collected for specific, unambiguous, and legitimate purposes and may not be processed in a manner that is not compatible with said purposes;
- adequate, relevant, and limited to the scope necessary for the purpose of processing (“data minimization”);
- factual and, if required, up-to-date; all appropriate measures are to be undertaken in order to immediately delete or remedy all personal data that are inaccurate for the purposes of their processing;
- stored in a manner that only allows for the identification of the data subject to be possible as long as it is required for the purposes of their processing;
- processed in a manner that guarantees appropriate protection of personal data, including protection from unlawful processing and unintentional loss, unintentional destruction, or unintentional damaging, via suitable technical or organizational measures (“integrity and confidentiality”);
Violations of this commitment may be punishable by fine and/or jail time. Additionally, a violation may constitute a breach of contractual obligations, or special confidentiality obligations.
Culpable violations of this commitment may also result in claims for damages (by civil law). This declaration does not impact your confidentiality obligation arising from your employment contract or special agreements. The commitment shall remain effective even after termination of the activity.
By selecting “YES”, I confirm this commitment. This declaration of commitment can be accessed here.