Updated: 16 APR 2026
Data protection agreement
This data protection agreement applies between the client (data controller, hereinafter “client”) and Vogel Event Solutions GmbH, Max-Planck-Str. 7/9, 97082 Würzburg (data processor, hereinafter “contractor”) in the event that the client engages the contractor via a main contract for services in the contractor’s area of business, and stipulates the parties’ respective rights and obligations under data protection law.
The agreement shall be deemed concluded once the client engages the contractor while also agreeing to the contractor’s general terms and conditions (GTC).
1. Agreement subject and term
The subject matter of the engagement is determined by the service agreement concluded between the parties, to which reference is hereby made (hereinafter “main agreement”).
For this, the contractor processes personal data for the client within the meaning of art. 4, nr. 2, and art. 28, GDPR, based on this contract.
The contractually agreed service will exclusively be provided in an EU member state or in a contractual state of the European Economic Area.
Any other move of the service or parts of the service to a third country requires the client’s consent in advance and may only occur if the special requirements of art. 44 et seq., GDPR, are met (e.g. adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).
The term of this engagement (term) shall be coextensive with that of the main agreement. This does not affect the right to terminate the agreement without notice.
2. Type and purpose of processing, categories of data and data subjects
As a rule, the contractor offers the client the preparation, execution and follow-up of in-person, digital and/or hybrid events. The services include participant and speaker management, email marketing, web-based seminars, web conferences, video and audio recordings, event analyses, lead management and transfer, including the preparation of participant lists for contact tracing in the context of infection control, and provision of the technical communication platform, including survey and ticket management. The services commissioned in each case shall be determined by the main agreement.
Type of personal data (according to art. 4, nr. 1, 13, 14, and 15, GDPR):
Personal data processing may concern the following types/categories of data:
First name, last name, email address, chat messages sent to moderators or speakers, postal address
Categories of data subjects (according to art. 4, nr. 1, GDPR):
Categories of data subjects concerned by the processing may include: Employees of the Client, customers, prospective customers.
3. Rights and duties, and power to direct of the client
The client shall be solely responsible for assessing the permissibility of processing in accordance with art. 6, sec. 1, GDPR, and for safeguarding the rights of the data subjects according to articles 12-22, GDPR.
Nonetheless, the contractor is obligated to immediately forward all such requests to the client, given they are clearly directed exclusively at the client.
Changes to the object of processing, and process changes shall be agreed on by both the client and the contractor and shall be specified in writing or in a documented electronic format.
As a general rule, the client shall issue all orders, partial orders, and instructions in writing or in a documented electronic format. Verbal directions shall be confirmed immediately in writing or in a documented electronic format.
Prior to the start of the processing and thereafter regularly, the client shall be entitled, in accordance with nr. 5 and in an appropriate manner, to check the technical and organizational measures taken by the contractor as well as the contractor’s compliance with the obligations stipulated in this agreement.
The client shall inform the contractor without delay if they detect any faults or irregularities during the check of the results of the commission.
The client is obligated to treat as confidential all knowledge of the contractor’s business secrets and data security measures obtained within the scope of the contractual relationship.
This obligation shall remain effective even after termination of this contract.
4. Duties of the contractor
The contractor shall process personal data exclusively within the framework of the agreements made and in accordance with the client’s instructions, unless the contractor is required to do otherwise by law of the Union or the Member States to which the processor is subject (e.g., investigations by law enforcement or state security authorities); given such a case, the processor shall notify the controller of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest (art. 28, sec. 3, sent. 2, lit. a, GDPR).
The contractor shall not use the personal data provided for processing for any other purposes, in particular not for their own purposes. Copies or duplicates of personal data shall not be created without the client’s knowledge.
Regarding duly processed personal data, the contractor guarantees duly executing all agreed measures. The contractor assures data processed for the client is strictly separated from other data files.
The data carriers coming from the client or being used for the client are marked separately. Receipt, dispatch, and current use are being documented.
The contractor shall cooperate with and support the client to the necessary extent in the fulfillment of the rights of the data subjects by the client according to art. 12 to 22, GDPR, in the creation of processing activity logs, and in required data protection impact assessments of the client (art. 28, sec. 3, sent. 2, lit. e, GDPR). The contractor must immediately forward all data required for this to the authority on the side of the client specified in the request.
The contractor will immediately inform the client of any instructions that they deem in conflict with applicable laws (art. 28, sec. 3, s. 3, GDPR).
The contractor shall be entitled to suspend execution of an instruction until it is reviewed, and/or confirmed or amended by the person responsible on the client’s side.
The Contractor shall correct, delete, or restrict the processing of personal data arising from the contractual relationship given the client’s request in the form of an instruction, and the contractor’s legitimate interests do not conflict with this.
The contractor shall only provide information about personal data from the contractual relationship to third parties or the person concerned given instruction or consent by the client.
The contractor agrees that the client shall be entitled, in principle subject to prior appointment, to verify compliance with the provisions on data protection and data security as well as with the contractual agreements to a reasonable and necessary extent, either themselves or through third parties commissioned by the client, in particular by obtaining information and inspecting stored data and data processing programs, as well as by conducting on-site inspections and audits (art. 28, sec. 3, s. 2, lit. h, GDPR).
The contractor pledges to assist in these inspections if necessary.
The processing of data in private residences (remote working or home office by employees of the contractor) is only permitted given the client’s consent. If data is processed in a private residence, access to the employee’s home for control purposes of the employer must be contractually ensured in advance.
Compliance with article 32, GDPR, must also be ensured in this case.
The contractor confirms that they are aware of the data protection regulations of the GDPR relevant for order processing.
The contractor pledges to also adhere to secrecy rules relevant for this commission, which the client is bound to and will be communicated by the client in a timely manner.
The contractor pledges to adhere to confidentiality when processing the client’s personal data in accordance with the contract.
This obligation shall remain effective to exist even after termination of the contract.
The contractor guarantees they will brief affected employees working on the commission on the data protection provisions applicable to them before they commence their activities and that they will impose appropriate confidentiality obligations on them for the duration of their activities and after termination of the employment relationship (art. 28, sec. 3, sent. 2, lit. b and art. 29, GDPR).
The contractor shall monitor compliance with data protection regulations on their side.
The contact details of the contractor’s data protection officer shall be provided to the client for the purpose of direct contact. Any change of the data protection officer shall be communicated to the client without undue delay. The contractor has appointed the external service provider TÜV Süd, datenschutz@vogel.de, as their data protection officer. Any change of the data protection officer shall be communicated to the client without undue delay.
If applicable, the contractor pledges to inform the client immediately of the exclusion of approved codes of conduct according to art. 41, sec. 4, GDPR, and the withdrawal of a certification according to art.42, sec. 7, GDPR.
5. Notification duties of the contractor in the event of disruptions in processing and breaches of personal data protection
The contractor shall notify the client without undue delay of any disruptions, breaches by the contractor or their employees of data protection provisions or of the provisions agreed under this engagement, and any suspicion of data protection violations or irregularities in the processing of personal data.
This shall also apply in particular with regard to any reporting and notification obligations of the client according to art. 33 and art. 34, GDPR.
The contractor assures to adequately support the client, if necessary, in their obligations according to articles 33 and 34, GDPR (art. 28, sec. 3, sent. 2, lit. f, GDPR).
Notifications for the client according to art. 33 or 34, GDPR, may only be carried out by the contractor after prior instruction according to no. 4 of this agreement.
6. Commissioning of subcontractors (art. 28, sec. 3, sent. 2, lit. d, GDPR)
Commissioning subcontractors for the processing of the client’s data is only permitted to the contractor given the client’s consent, art. 28, sec. 2, GDPR, which must be provided via one of the above-mentioned communication channels (no. 4) with the exception of verbal approval. Consent can only be granted if the contractor informs the client of the name and address, and as the intended activity of the subcontractor.
Additionally, the contractor must ensure they carefully select the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor according to art. 32, GDPR. The relevant test documents in this regard shall be made available to the client upon request.
Subcontractors from third countries may only be commissioned if the special requirements of art. 44 et seq., GDPR, are met (e.g., adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).
The contractor must ensure by contract that the agreed regulations between the client and the contractor also apply to subcontractors.
In the contract with the subcontractor, the information shall be specified in such concrete terms that the responsibilities of the contractor and the subcontractor are clearly defined.
If several subcontractors are used, this shall also apply to the responsibilities between these subcontractors. In particular, the client must be entitled to carry out appropriate checks and inspections, including on-site checks and inspections, at subcontractors’ premises if necessary, or to have these carried out by third parties commissioned by the client.
The contract with the subcontractor must be in writing, which also includes electronic form (art. 28, sec. 4 and 9, GDPR).
Data shall only be transferred to the subcontractor after the subcontractor has fulfilled the obligations according to art. 29 and art. 32, sec.4, GDPR regarding its employees.
The contractor shall be liable to the client for ensuring that the subcontractor complies with the data protection obligations contractually imposed on it by the contractor in accordance with this section of the agreement.
The client agrees to the engagement of the subcontractors listed under this LINK, subject to a contractual arrangement in accordance with art. 28, sec. 2–4, GDPR.
The processor shall always inform the controller of any intended change regarding the involvement of new subcontractors, or the replacement of prior subcontractors, giving the client the opportunity to object to such changes (art. 28, sec. 2, sent. 2, GDPR).
The contractor has the general authority to commission subcontractors, but is obliged to notify the client in advance of any subcontracting. The client has the right to object to the commission, and, by law, the right to object to this change (art. 28, sec. 2, GDPR). If no agreement is reached after explaining the reasons for the discarding of a subcontractor, the commissioning of the respective subcontractor is not possible.
7. Technical and organizational measures according to art. 32, GDPR (art. 28, sec. 3, sentence 2, lit. c, GDPR)
A level of protection appropriate to the risk for the rights and freedoms of the data subjects of the processing is ensured for the specific commissioned processing. For this, the security goals of art. 32, sec. 1, GDPR, such as confidentiality, integrity and availability of systems and services, and their resilience in relation to nature, scope, context and purposes of processing shall be adhered to in such a way that the risk is mitigated on a permanent basis by means of appropriate technical and organizational measures.
The technical and organizational measures can be accessed via the following link: https://legal.vogel.de/en/legal-cockpit-2/vcg-vogel-communications-group/clt/tom-eng/.
The contractor shall carry out a review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing when there is cause to do so (art. 32, sec. 1, lit. d, GDPR). The results, including the audit report shall be communicated to the client.
Security-relevant decisions regarding the organization of data processing and the procedures used shall be coordinated between the contractor and the client. If the measures taken by the contractor do not meet the requirements of the client, the contractor shall notify the client immediately.
The measures taken by the contractor may be adapted to technical and organizational developments during the course of the contractual relationship but must not fall short of agreed standards.
The contractor must coordinate significant changes with the client in documented form (in writing, electronically).
Such arrangements shall be retained for the duration of this contract.
8. Obligations of the contractor after the end of the provision of services art. 28, sec. 3, sentence 2, lit. g, GDPR
After completion of the commission, the contractor shall hand over to the client or delete or destroy in accordance with data protection requirements all data, documents, and processing or utilization results created in connection with the contractual relationship that have come into possession of the contractor or subcontractors.
The deletion or destruction shall be confirmed to the client in writing or in a documented electronic format, stating the date.
9. Remuneration
The contractual provisions of the service contract shall apply. Additional expenses incurred in supporting the client in fulfilling their obligations under data protection law or other obligations shall be remunerated appropriately at the hourly rates specified in the main agreement.
10. Liability
Art. 82, GDPR, is referenced.
Agreements on the technical and organizational measures as well as control and audit documents (including those relating to subcontractors) must be retained by both contracting parties for their period of validity and subsequently for three full calendar years.
11. Other
If the property or the personal data of the customer to be processed at the contractor are endangered by measures of third parties (for example by seizure or sequestration), by insolvency or composition proceedings, or by other events, the contractor shall notify the client immediately.
The plea of the right of retention within the meaning of § 273, BGB (German Civil Code), is excluded with regard to the data processed for the client and the associated data carriers.
Should individual parts of this agreement be invalid, the validity of the remainder of the agreement shall remain unaffected.