Privacy agreement

As of June 20, 2025; the previous version can be found at here.

Preamble

This agreement specifies the data protection obligations of the contracting parties arising from the order processing described in this agreement and in Sections 3 and 4. It applies to all activities related to toujou services in which employees of the processor or third parties commissioned by the processor may come into contact with personal data of the controller.

Individual agreements in this data protection agreement take precedence over the general terms and conditions (GTC) of the processor.

§ 1 Definitions

1. “Personal data” means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).
2. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (Art. 4 No. 2 GDPR).
3. “Controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR).
4. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4 No. 8 GDPR).
5. “Subprocessor” means any processor who processes personal data on behalf of the main processor.
6. " Instruction" is the controller's written order, usually in writing, directed at the processor to handle personal data in a specific manner (e.g., storage, pseudonymization, deletion, disclosure). The instructions are issued by the controller and may be amended, supplemented, or replaced by individual instructions (individual instruction). The controller's instructions must be issued in writing or by email.

§ 2 Scope of application and responsibility

1. The processor provides development, hosting services, and maintenance measures for preconfigured TYPO3 systems on behalf of the controller. In this context, it cannot be ruled out that the processor may gain access to or become aware of personal data. According to Art. 28 GDPR, it is therefore necessary to conclude an agreement for processing on behalf of the controller.
2. The controller has selected the processor as a service provider in accordance with the due diligence obligations of Art. 28 GDPR. A prerequisite for the permissibility of data processing on behalf of the controller is that the controller issues the order to the processor in writing. In accordance with the wishes of the parties, and in particular the controller, this contract contains the written order for processing within the meaning of Article 28(3) GDPR and regulates the rights and obligations of the parties with regard to data protection in connection with the provision of hosting services.
3. Ownership of the personal data lies exclusively with the controller within the meaning of the General Data Protection Regulation. On the basis of this responsibility, the controller may also request the correction, deletion, blocking, and disclosure of personal data during the term of the contract and after its termination.

§ 3 Object and duration of the order

1. The subject matter of the contract is TYPO3 service hosting at the rate ordered by the customer. The exact subject matter and purpose of the processing are set out in the main contract between the parties.
2. This agreement shall enter into force upon conclusion of the toujou contract (in accordance with the General Terms and Conditions, https://www.toujou.com/gtc/ ) and shall generally end upon termination of the underlying main contract in accordance with the General Terms and Conditions. The right to extraordinary termination remains unaffected.

§ 4 Description of processing, data, and data subjects

1. The processor shall process personal data exclusively for the purposes specified in the main contract. Processing for other purposes is only permitted with the prior written consent of the controller.
2. The scope, type, and purpose of the processing, as well as the type of data, are defined in forms created or used by the controller. The use, content, and scope of these forms are the responsibility of the controller. Furthermore, there is access to all content and media data (images, videos, documents, etc.) that has been uploaded and inserted into the system by editors.
3. The group of data subjects is defined by editors in the TYPO3 system (employees or agents of the controller) as well as visitors and users of its website generated from the system.

§ 5 Technical and organisational measures

The processor undertakes to the controller to comply with the technical and organizational measures that are appropriate and necessary to comply with the applicable data protection regulations.

1. Since the processor provides hosting services for the controller outside the controller's business premises, the processor is required to document the technical and organizational measures it has taken within the meaning of Art. 28 (3) (c) GDPR, Art. 32 GDPR in conjunction with Art. 5 (1) and (2) GDPR, and to submit them to the controller for review.
2. The measures serve to ensure data security and to guarantee a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems related to this order. In doing so, the state of the art, the implementation costs and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR, must be taken into account.
3. The technical and organizational measures in place at the time of conclusion of the contract and the current status of these measures are attached as Annex A to this agreement. The parties agree that changes to the technical and organizational measures may be made in order to adapt to technical and legal circumstances. The technical and organizational measures in place at the time of conclusion of the contract and the current status of these measures are attached as Annex A to this agreement. The parties agree that changes to the technical and organizational measures may be necessary in order to adapt to technical and legal circumstances. The processor shall consult with the controller in advance regarding any significant changes that may affect the integrity, confidentiality, or availability of the personal data. Measures that only involve minor technical or organizational changes or that do not adversely affect the integrity, confidentiality, and availability of the personal data may be implemented by the processor without consulting the controller. The processor can find an up-to-date version of the technical and organizational measures taken by the controller at any time
   here.

§ 6 Correction, restriction, and erasure of data

1. The processor may not correct, delete, or restrict the processing of the data processed on behalf of the controller without the controller's documented instructions. If a data subject contacts the processor directly in this regard, the processor will immediately forward this request to the controller for approval.
2. The implementation of the deletion concept, the right to be forgotten, correction, data portability, and information must only be ensured directly by the processor in accordance with documented instructions from the controller.
3. Copies or duplicates of the data shall not be made without the knowledge of the controller. This does not apply to backup copies, insofar as they are necessary to ensure proper data processing, or to data that is necessary for compliance with statutory retention obligations.
4. Upon completion of the contractually agreed work or earlier upon request by the controller – but no later than upon termination of the main contract – the processor shall hand over to the controller all documents that have come into its possession, processing and usage results created, and data stocks related to the contractual relationship, or destroy them in accordance with data protection regulations after prior consent. The same applies to test and reject material. The deletion log must be presented upon request.
5. Documentation serving as proof of orderly and proper data processing must be retained by the processor beyond the end of the contract in accordance with the respective retention periods. The processor may hand it over to the controller at the end of the contract to relieve itself of its obligations.

§ 7 Obligations of the contractor

1. The processor is prohibited from processing personal data that is not related to the provision of hosting services, unless the controller has given its written consent.
2. The processor confirms that it has appointed a company data protection officer within the meaning of Articles 38 and 39 GDPR, insofar as it is legally obliged to do so. The current contact details of the data protection officer are easily accessible on the processor's website. You can find them at https://www.toujou.com/legal-notice/
3. The processor shall immediately inform the controller if, in its opinion, an instruction issued by the controller violates legal regulations. The processor is entitled to suspend the execution of the instruction in question until it has been confirmed or amended by the controller.
4. The processor shall inform the controller immediately in the event of serious disruptions to operations, suspected data breaches, or other irregularities in the processing of the controller's personal data.
5. In the event that the processor discovers or has reason to believe that personal data processed by it on behalf of the controller is subject to a breach of legal protection of personal data pursuant to Art. 33 GDPR (data protection breach or data breach), e.g. by being unlawfully transmitted or otherwise unlawfully disclosed to third parties, the processor shall immediately and fully inform the controller in writing or in text form (fax/email) of the time, nature, and scope of the incident or incidents. The notification to the controller must contain at least the following information: The processor is also obliged to immediately communicate what measures have been taken by the processor to prevent unlawful transmission or unauthorized access by third parties in the future.
   1. A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories of personal data concerned, and the approximate number of personal data records concerned.
   2. The name and contact details of the data protection officer or other contact point for further information.
   3. A description of the likely consequences of the personal data breach.
   4. A description of the measures taken or proposed to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
6. Upon request, the processor shall provide the controller with the information necessary for the record of processing activities pursuant to Art. 30 (1) GDPR and, as processor, shall itself maintain a record of processing activities pursuant to Art. 30 (2) GDPR.
7. The processor shall ensure that the employees involved in the processing of the controller's personal data are bound to confidentiality in accordance with Art. 28 (3) sentence 2 lit. b, 29, 32 (4) GDPR and have been familiarized with the relevant provisions of data protection. The processor and any person under the processor's authority who has access to personal data may only process such data in accordance with the controller's instructions, including the powers granted in this agreement, unless they are required by law to process it. This confidentiality obligation shall continue even after the termination of the activity.
8. The fulfillment of the aforementioned obligations must be monitored by the processor and documented in an appropriate manner.
9. Furthermore, the processor undertakes to assist the controller in complying with the obligations set out in Articles 34-36 GDPR in accordance with Article 28(3)(f) GDPR:
   1. To provide all relevant information without delay in the context of its duty to inform the data subjects and the controller in this regard.
   2. In carrying out its data protection impact assessment.
   3. In the context of prior consultation with the supervisory authority.
10. The controller and the processor shall cooperate with the supervisory authority on request in the performance of its tasks.
11. The processor shall inform the controller without delay of any supervisory authority inspections and measures relating to this contract. This also applies if a competent authority investigates the processor in connection with an administrative offense or criminal proceedings relating to the processing of personal data during contract processing.
12. If the controller is subject to an inspection by the supervisory authority, administrative or criminal proceedings, a liability claim by a data subject or a third party, or any other claim in connection with the processing of orders by the processor, the processor shall support the controller to the best of its ability.
13. The processor shall regularly monitor internal processes and technical and organizational measures to ensure that processing within its area of responsibility is carried out in accordance with the requirements of applicable data protection law and that the rights of the data subject are protected.

§ 8 Rights and obligations of the client

1. The controller is responsible for compliance with the statutory data protection regulations, in particular the GDPR.
2. The controller shall provide the processor with all necessary instructions for the processing of personal data.
3. The controller shall inform the processor immediately if it discovers errors or irregularities when checking the processing results.
4. If the controller issues individual instructions that go beyond the contractually agreed scope of services, the costs incurred as a result shall be borne by the controller.nt must bear any resulting justified costs.

§ 9 Guaranteeing the rights of the data subject

1. The processor shall, to the extent possible, assist the controller in fulfilling the obligations and rights of data subjects under Chapter III of the GDPR (Articles 12–23).
2. If a data subject contacts the processor directly, the processor shall forward the request to the controller without delay.

§ 10 Powers of inspection

1. The controller has the right to monitor compliance with the statutory provisions on data protection and compliance with the contractual provisions agreed between the parties, as well as compliance with the controller's instructions by the processor at any time to the extent necessary.
2. The processor is obliged to provide information to the controller to the extent necessary to carry out the monitoring within the meaning of paragraph 1.
3. The controller may, after giving reasonable notice, carry out the monitoring within the meaning of paragraph 1 at the processor's premises during normal business hours. The controller shall ensure that the monitoring is only carried out to the extent necessary, insofar as the processor's business operations are disrupted by the monitoring.
4. The processor is obliged to provide the controller with the necessary information in the event of measures taken by the supervisory authority against the controller within the meaning of Art. 58 GDPR, in particular with regard to information and control obligations.
5. The processor shall provide evidence of technical and organizational measures that are not limited to the specific order. This can be done by:
   1. Compliance with approved codes of conduct in accordance with Art. 40 GDPR.
   2. Certification according to an approved certification procedure in accordance with Art. 42 GDPR.
   3. current certificates, reports, or report extracts from independent bodies (e.g., auditors, internal auditors, data protection officers, IT security officers, data protection auditors).
   4. appropriate certification by means of an IT security or data protection audit (e.g., in accordance with ISO 27001 or BSI basic protection).
6. The costs of an inspection of the processor pursuant to paragraphs 3 and 4 may be claimed from the controller.

§ 11 Subcontracting arrangements

1. The processor shall not use any third parties to provide hosting services on behalf of the controller who process data on its behalf in accordance with Art. 28 GDPR (“subprocessors”).
2. The processor may only engage subprocessors as required with the written consent of the controller.

3. The controller agrees that the processor may engage companies to perform its contractually agreed services or subcontract services. Currently, these are the following companies: 

   
   Approved subcontractor:

   NAME	PURPOSE	PROVIDER	DATA PROTECTION
   Google	Visitor statistics, hosting infrastructure	Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 USA	Data protection provider
   jweiland.net	Hosting infrastructure	jweiland.net  Jochen Weiland  Echterdinger Straße 57, 70794 Filderstadt  Germany	Data protection provider
   HEXONET	Domain registration	HEXONET GmbH Talstraße 27 66424 Homburg Germany	Data protection provider
   Amazon Web Services	Hosting infrastructure, CDN, email	Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109 United States	Data protection provider
   punkt.de GmbH	Hosting infrastructure	punkt.de GmbH Kaiserallee 13a 76133 Karlsruhe Germany	Data protection provider
   BunnyWay d.o.o.	CDN	Cesta komandanta Staneta 4A 1215 Medvode Slovenia
   Key-Systems GmbH	Domain Registrar	Kaiserstraße 172-174 66386 St.Ingbert
   Hetzner Online GmbH	Analytics and add on services (PDF etc.)	Industriestr. 25 91710 Gunzenhausen Deutschland

4. The processor shall contractually oblige the subprocessors to comply with the same data protection obligations as set out in this contract.
5. The processor shall remain responsible for the compliance of the subprocessors with these obligations.

§ 12 Data secrecy and secrecy obligations

1. The processor undertakes to observe the same confidentiality rules as those incumbent on the controller. The controller is obliged to inform the processor of any special confidentiality rules.
2. The processor assures that it is familiar with the applicable data protection regulations and is confident in their application.
3. Both parties undertake to treat all information received in connection with the performance of this agreement as confidential for an unlimited period of time and to use it only for the performance of the contract. Neither party is entitled to use this information, in whole or in part, for purposes other than those mentioned above or to make this information available to third parties.
4. The above obligation does not apply to information that one of the parties has demonstrably received from third parties without being obliged to maintain confidentiality, or that is publicly known.

§ 13 International data transfers

1. Personal data will only be transferred to third countries (countries outside the European Union or the European Economic Area) if this is necessary to fulfill our contractual obligations, is required by law, or the controller has given their consent. In any case, the processor shall ensure that an adequate level of data protection is guaranteed, for example by:
   1. Concluding standard contractual clauses
   2. Binding Corporate Rules (BCRs)
   3. Appropriate data protection measures in accordance with Art. 46 GDPR

§ 14 Information obligations, written form clause, choice of law

1. If the personal data of the controller at the processor is endangered by seizure or confiscation, by insolvency or composition proceedings, or by other events or measures taken by third parties, the processor must inform the controller immediately. The processor shall immediately inform all responsible parties in this context that the sovereignty and ownership of the personal data lies exclusively with the controller as the “responsible body” within the meaning of the Federal Data Protection Act.
2. Amendments and additions to this annex and all its components – including any assurances made by the processor – require a written agreement and an express reference to the fact that they constitute an amendment or addition to these terms and conditions. This also applies to any waiver of this formal requirement.
3. If any provision of these contractual terms and conditions is invalid, the remaining provisions shall nevertheless remain valid. The contracting parties undertake to replace any invalid provision or any provision that is missing contrary to the intention of the parties with a provision that comes closest to the jointly pursued purpose of the contracting parties in good faith.

Appendices

Appendix A, Technical and organizational measures

Here you can download the current version of “Appendix A” as well as previous versions.

Changes

Our data protection agreements are subject to ongoing review as part of our development process. The previously valid version can be found here.