1. Preamble

1.1. The consentmanager gmbh, hereafter named „consentmanager gmbh", offers a platform for gathering consent from website visitors via the Internet: www.consentmanager.net, www.consentmanager.de and other URLs (below: CMP).
1.2. The contractual partners utilize this service as an operator of a Web site or app (hereinafter referred to as: “client”). The contractual partner has full legal competence or is represented by a legal representative who has full legal competence.
1.3. This General Terms and Conditions regulate the collaboration between Consentmanager AG and the contractual partner.
1.4. In order to use the CMP, the contractual partner applys for an account on the CMP website. Applying for an account constitutes a contractual relationship between consentmanager gmbh and the registering party. consentmanager gmbh is free to reject any account without giving reasons.
1.5 In addition to this contract, the data processing contract contained in Annex 1 also applies.

2. General

2.1. The General Terms and Conditions apply that are currently published at www.consentmanager.net. consentmanager gmbh reserves the right to change the General Terms and Conditions at any time.
2.2. The contractual partner will be notified in writing, by e-mail or in an other suitable manner about any changes in the General Terms and Conditions. They shall be considered as accepted if the contractual partner does not object within a period of 2 weeks upon the notification. With the notification, consentmanager gmbh shall point out expressly to the contractual partner this consequence of his conduct. The right of the contractual partner to withdraw from the contract due to the change in the General Terms and Conditions remains unaffected therefrom.

3. Package details & Service

3.1 The service is free of charge up to a monthly amount of 10,000 pageviews.
3.2 If the amount of pageviews within a certain calendar month exceeds the amount of 10,000 pageviews, consentmanager gmbh will stop the service for this client for this month. This means, the CMP will no longer be delivered to the client's website, reports will not be generated and automatic crawls will not be performed.
3.3 The package features are displayed on the www.consentmanager.net website. consentmanager gmbh is free to change the package details and features at any time without notice.
3.4 consentmanager gmbh remains the right to extend, modify or cancel its free services at any time without giving any reason.

4. Intellectual property, Liability, Data privacy

4.1 The ownership and copyright of the software supplied by consentmanager gmbh, the printed material and all copies of the software are the responsibility of the software manufacturer. The software is protected by copyright and international treaty provisions. The client shall therefore treat the software as any other copyrighted material.
4.2 The client hereby expressly agrees that consentmanager gmbh may designate the client in consentmanager gmbh's advertising or to third parties as a reference.
4.3 The client acknowledges that consentmanager gmbh only provides a certain service (e.g. collecting consent from visitors, protocol consent information for later proof in case of vindication, providing consent information to third parties using a standard API) and does not guarantee non-liability to third parties by using the service. Furthermore consentmanager gmbh or the usage of this service cannot guarantee that, e.g. by using the service on the client’s website, the client is fully compliant to general data protection regulation(s) or other data regulations in his country or region. The service provided by consentmanager gmbh may only be seen as a piece of a juristically solution.
4.4 The client acknowledges that consentmanager gmbh is not liable for any issues or problems that occur on the clients' website in conjunction with consentmanager gmbh's services. Claims for damages of any kind, for whatever legal reason, including damages resulting from the use of software on data, software or hardware of the user are excluded, unless the damage is caused intentionally or through gross negligence. This does not apply if the damage was caused by the violation of a cardinal obligation by consentmanager gmbh. consentmanager gmbh is only obliged to repair or replace goods if the client has completely fulfilled his contractual obligations. All claims against consentmanager gmbh are not assignable without written consent and can only be asserted by the client. consentmanager gmbh is liable for damages resulting from errors in the programming, software, hardware or other components of the system up to a maxi-mum sum of 3 monthly bills of the client. The calculation is based on the average invoices of consentmanager gmbh to the client for the last 12 months.
4.5 The client is not allowed to cache any of the files/URLs provided by consentmanager gmbh’s services if not declared otherwise (e.g. by using HTTP headers).

5. Final Provisions

5.1 If any provision (or part of a provision) of this agreement is invalid, illegal or unenforceable, the rest of the agreement will remain in effect.
5.2 Place of performance and jurisdiction for all obligations and disputes arising under the contract, termination and settlement is, provided that there are no compelling legal reasons, for both parties Hamburg, Germany.

Annex 1: Data processing contract

between consentmanager gmbh as processor (hereinafter referred to as “consentmanager gmbh”) and the client as the data controller/responsible.

Preamble

The client would like to commission consentmanager gmbh with the services specified in § 3. Part of the contract execution is the processing of personal data. In particular, Art. 28 GDPR places certain demands on such an order processing. In order to comply with these requirements, the parties conclude the following agreement, the fulfillment of which is not separately remunerated, unless expressly agreed.

1. Definitions

1. In accordance with Art. 4 (7) GDPR, the person responsible or data controller is the one who, alone or together with other responsible persons, decides on the purposes and means of processing personal data.
2. According to Art. 4 (8) GDPR, the processor is a natural or legal person, public authority, institution or other body that processes personal data on behalf of the person responsible.
3. According to Art. 4 Para. 1 GDPR, personal data are all information that relate to an identified or identifiable natural person (hereinafter referred to as “data subject”); a natural person is considered to be identifiable when he/she can be identified, directly or indirectly, and in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more specific features, that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
4. Particularly vulnerable personal data are personal data in accordance with Art. 9 GDPR, which show the racial and ethnic origin, political opinions, religious or ideological convictions or trade union affiliation of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offences or related safeguards as well as genetic data according to Art. 4 Para. 13 GDPR, biometric data according to Art. 4 Para. 14 GDPR, health data according to Art. 4 Para. 15 GDPR as well as data on the sex life or the sexual orientation of a natural person.
5. Processing is, in accordance with Art. 4 (2) of the GDPR, any process or series of operations performed with or without the aid of automated procedures in relation to personal data such as the elicitation, collection, organization, order, storage, adaptation or modification, reading out, querying, using, disclosing through transmission, dissemination or any other form of provision, reconciliation or association, restriction, deletion or obliteration.
6. According to Art. 4 (21) GDPR, the supervisory authority is an independent state agency established by a Member State pursuant to Art. 51 GDPR.

2. Specification of the competent data protection supervisory authority

1. The responsible supervisory authority for the client is the country representative for data protection or a similar body at the client's headquarters.
2. Responsible supervisory authority for consentmanager gmbh is the German Data Protection Authority in Hamburg.
3. The client and consentmanager gmbh and, if necessary, their representatives work, on request, together with the supervisory authority to fulfill their duties.

3. Contract Object

1. consentmanager gmbh will provide services to the client on the basis of the contract between the parties (“Main Contract”). In doing so, consentmanager gmbh gains access to personal data and processes it exclusively on behalf of and according to the instructions of the client. The scope and purpose of the data processing by consentmanager gmbh result from the Main Contract (and the associated service description). The client is responsible for the assessment of the admissibility of the data processing.
2. The parties conclude this agreement to clarify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement take precedence over the provisions of the Main Contract.
3. The terms of this Agreement shall apply to all activities related to the Main Contract in which consentmanager gmbh and its employees, or consentmanager gmbh agents, that come into contact with personal data originating from or collected for the client.
4. The term of this contract is based on the duration of the Main Contract, provided that the following provisions do not result in obligations or termination rights beyond it.

4. Right of instruction

1. consentmanager gmbh may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the client; This applies in particular to the transfer of personal data to a third country or to an international organization. If consentmanager gmbh is obliged to further processing by the law of the European Union, or of the Member States to which it is subject, he shall inform the client of these legal requirements prior to processing.
2. The instructions of the client are initially determined by this contract and can then be changed, supplemented or replaced by the client in written form or in text form by individual instructions (individual instruction). The client is entitled to issue corresponding instructions at any time. This includes instructions regarding the rectification, deletion and blocking of data. The authorized persons are listed in Annex 1.4. In the case of a change or a longer-term absence of named persons, the contracting party must be notified immediately in text form of the successor or representative.
3. All instructions given must be documented by both the client and consentmanager gmbh. Instructions that go beyond the performance agreed in the Main Contract are treated as an application for a change in performance. consentmanager gmbh must inform and get confirmation from the client if they regard this as a change in performance and of any pricing or other implications of this before implementing the change.
4. If consentmanager gmbh believes that a client's instruction violates data protection regulations, consentmanager gmbh must inform the client immediately. consentmanager gmbh is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the client. consentmanager gmbh may refuse to carry out an evidently illegal instruction.

5. Type of processed data, data subjects concerned

1. As part of the execution of the Main Contract, consentmanager gmbh will have access to the personal information specified in Annex 1.1. These data include the specific categories of personal data listed in Appendix 1.1 and identified as such.
2. The group of data processors is given in Appendix 1.2.

6. Protective measures by consentmanager gmbh

1. consentmanager gmbh is obliged to comply with the statutory provisions on data protection and not to pass on the information obtained from the area of the client to third parties or to expose them to their access. Documents and data are to be secured against the knowledge of unauthorized persons by taking into account the generally acknowledged state of the art.
2. In his area of responsibility, consentmanager gmbh will design the in-house organization in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organizational measures to adequately protect the client's data in accordance with Art. 32 GDPR, in particular at least the measures of access control listed in Appendix 1.3.
3. consentmanager gmbh reserves the right to change the security measures taken, with consentmanager gmbh ensuring that the contractually agreed level of protection is not lowered.
4. At consentmanager gmbh the company contact person for data protection is: Götz Sielk (goetz@consentmanager.net).
5. The persons employed in the data processing by consentmanager gmbh are prohibited from collecting, processing or using personal data without authorization. consentmanager gmbh will oblige all persons entrusted by consentmanager gmbh with the processing and fulfillment of this contract (hereinafter referred to as employees) (obligation of confidentiality, Art. 28 Para. 3 lit. b GDPR) and ensure with due diligence the compliance with this obligation. These obligations must be such that they will persist even after the termination of this contract or the employment relationship between the employee and consentmanager gmbh. consentmanager gmbh shall be required to prove the obligations on request by the client in an appropriate manner.

7. Information requirements of consentmanager gmbh

1. In the event of any disruption, suspicion of breaches of privacy or breaches of contractual obligations by consentmanager gmbh, suspected security incidents or other irregularities in the processing of personal data by consentmanager gmbh, persons employed by it or by third parties, consentmanager gmbh shall promptly notify the client in writing. The same applies to examinations of consentmanager gmbh by the data protection supervisory authority. The personal data breach message contains at least the following information:
a) a description of the nature of the breach of the protection of personal data, indicating, where possible, the categories and the number of data subjects, the categories concerned and the number of personal data records involved;
b) a description of the remedial action taken or proposed by consentmanager gmbh and, where appropriate, measures to mitigate its potential adverse effects.
2. consentmanager gmbh immediately takes the necessary measures to safeguard the data and to mitigate the potential adverse effects of those affected, informs the client about this and requests further instructions.
3. In addition, consentmanager gmbh is obliged to provide the client with information at any time, as far as its data is affected by an infringement according to paragraph 1.
4. If third-party measures are jeopardized, consentmanager gmbh must inform the client without delay, unless consentmanager gmbh is prohibited by court or an administrative order. In connection with this, consentmanager gmbh will immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the client as “responsible person” within the meaning of the GDPR.
5. consentmanager gmbh must notify the client immediately of significant changes to the security measures.
6. A change in the person of the company data protection officer / contact person for the data protection has to be disclosed to the client immediately.
7. consentmanager gmbh and, if applicable, its representative keep a record of all categories of processing activities carried out on behalf of the client, which contain all the information required by Article 30 (2) GDPR. On request, the directory must be made available to the client.
8. consentmanager gmbh must cooperate to a reasonable extent in the preparation of the procedural directory by the client. It has to provide the client with the necessary information in a suitable manner.

8. Control rights of the client

1. The client convinces himself before starting the data processing and then regularly (annually) from the technical and organizational measures of consentmanager gmbh. For this purpose, he/she may, for example obtain information from consentmanager gmbh, request the presentation of existing certificates from experts, certifications or internal audits, or check the technical and organizational measures of consentmanager gmbh personally or have them checked by a competent third party after timely coordination during normal business hours, or this third party is not in competition with consentmanager gmbh. The client will only perform controls to the extent necessary and will not disproportionately disrupt the operational activities of consentmanager gmbh.
2. consentmanager gmbh undertakes to provide the client with all information and evidence necessary to carry out a review of consentmanager gmbh's technical and organizational measures, within a reasonable period of time, at his/her written or verbal request.
3. The client documents the inspection result and informs consentmanager gmbh about it. In the event of errors or irregularities which the client determines, in particular when checking the results of an order, he/she must inform consentmanager gmbh immediately. If, during the inspection, circumstances are identified whose future avoidance requires changes to the order of procedure, the client shall notify consentmanager gmbh of the necessary procedural changes without delay.
4. Upon request, consentmanager gmbh provides the client with a comprehensive and up-to-date data protection and security concept for order processing and authorized persons.
5. On request, consentmanager gmbh will prove to the client the obligation of the employees according to § 6 paragraph 4.

9. Use of subcontractors

1. The contractually agreed services or the partial services described below may be carried out by subcontractors listed in Appendix 1.5. consentmanager gmbh is authorized to create further subcontracting relationships with sub-contractors (“subcontractor relationship”) as part of its contractual obligations. consentmanager gmbh is required to carefully select subcontractors for their suitability and reliability. consentmanager gmbh will inform the client immediately if new subcontractors are used. The client therefore has a right to reject new subcontractors within one week upon notification. consentmanager gmbh has the obligation to engage subcontractors in accordance with the terms of this Agreement, and to ensure that the client is able to exercise his/her rights under this Agreement (in particular, his/her audit and control rights) directly with subcontractors. If subcontractors from a third country are to be included, consentmanager gmbh must ensure that the respective subcontractor has an adequate level of data protection (e. g. by concluding an agreement based on EU standard data protection clauses). Upon request, consentmanager gmbh will prove to the client the conclusion of the afore-mentioned agreements with his subcontractors.
2. A subcontracting relationship within the meaning of these provisions does not exist if consentmanager gmbh entrusts third parties with services that are to be regarded as mere fringe benefits. These include, for example, postal, transport and shipping services, cleaning services, telecommunication services without specific reference to services that consentmanager gmbh provides for the client and security services. Maintenance and testing services represent subcontractor agreements subject to approval, if these are provided for IT systems that are also used in connection with the provision of services for the client.

10. Inquiries and rights of those affected

1. consentmanager gmbh supports the client as far as possible with suitable technical and organizational measures in the fulfillment of its obligations under Art. 12-22 as well as 32 to 36 GDPR.
2. If an affected person asserts rights, such as information, rectification or deletion of his/her data, directly against consentmanager gmbh, consentmanager gmbh does not react independently, but refers the person concerned without delay to the client and waits for his instructions.

11. Liability

1. consentmanager gmbh acknowledges that if a Data Subject has suffered damage as a result of any breach of consentmanager gmbh's or any of its sub-processors' obligations referred to in this DPA, consentmanager gmbh may be responsible to pay any fines or compensation that might arise as a result of the breach.
2. If the Client has paid such compensation or fine, as written above, due to a breach by consentmanager gmbh of its obligations referred to in this DPA, the Client is entitled to issue a claim against the consentmanager gmbh in turn.
3. The Client acknowledges that if a Data Subject has suffered damage as a result of any breach of the Client's obligations referred to in this DPA, the Client may be responsible to pay any fines or compensation that might arise as a result of the breach.
4. If consentmanager gmbh has paid such compensation or fine, as written above, due to a breach by the Client of its obligations referred to in this DPA, consentmanager gmbh is entitled to issue a claim against the Client in turn.
5. In each case, the parties release themselves from liability, if a party proves that they are in no way responsible for the circumstances in which the damage occurred to a Data subject.

12. Extraordinary right of termination

1. The client may terminate the Main Contract without notice in whole or in part, if consentmanager gmbh does not fulfill its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or cannot or will not carry out an instruction of the client. In the case of simple – i.e. neither intentional nor grossly negligent – infringements the client sets consentmanager gmbh a reasonable period within which consentmanager gmbh can stop the infringement.

13. Termination of the Main Contract

1. consentmanager gmbh will give all documents, data and data carriers, provided to it by the client, back to the client after the completion of the Main Contract or at any time at the clients request or delete them at the clients request ¡V unless there is an obligation under EU law. This also applies to any backups at consentmanager gmbh. consentmanager gmbh must have the documented proof of the orderly deletion of still existing data. Documents to be disposed of must be destroyed using a document shredder in accordance with DIN 32757-1. Media to be disposed of must be destroyed in accordance with DIN 66399.
2. The client has the right to control the complete and contractual return or deletion of the data at consentmanager gmbh in an appropriate manner.
3. consentmanager gmbh is required to treat the data disclosed to consentmanager gmbh in connection with the Main Contract as confidential even after the termination of the Main Contract. The present contract will continue to apply beyond the end of the Main Contract as long as consentmanager gmbh has personal information submitted by or collected by consentmanager gmbh.

14. Final provisions

1. Changes and additions to this agreement must be made in writing. Changes and additions to this agreement must be in writing. The writing requirement also applies to the waiver of the written form.
2. If individual provisions of this agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
3. This agreement is subject to German law. Exclusive jurisdiction is hamburg.

Appendix 1.1 - Description of data / data categories

Client data: First name, surname, e-mail address, postal address, telephone number, fax number, Skype data, bank details, PayPal data, tax number, order data, IP address, time of visit, duration of visit
Visitor data: IP address, time of visit, consent information, browser string, referrer, country

Appendix 1.2 - Description of the affected / affected groups

Client, Website Visitor (third party)

Appendix 1.3 - Technical and organizational measures of consentmanager gmbh

Among other things, consentmanager gmbh will implement the following technical and organizational measures:
• Documented list of keys to consentmanager gmbh’s offices
• Locking of the office rooms after work
• Surveillance of datacenters via alarm, video, movement sensors
• Access control to datacenters via id reader, magnet card or chip card
• Confidentiality obligation of employees
• Use of password protection for client logins, servers, admin panel
• Use of “hard” passwords (Special Chars, Numbers, Upper-/Lower-Case) for servers
• Use of protection software (anti-virus, anti-malware, anti-spam)
• Automated updates for protection software
• Use of firewalls to protect the data
• Use of DMZ principles
• Encryption of data
• Internal separation of functions (testing vs. live environment)
• Use of https/ssl encryption
• Use of protocols
• Backup and recovery
• “Privacy by default”

Appendix 1.4 - Authorized Persons

The authorized persons of the client are to be named by the client when the contract is signed. The recipients of the directive at consentmanager gmbh are the managing directors of consentmanager gmbh AB and the contact person assigned to the client.

Appendix 1.5 – Subcontractors

consentmanager AB, Haltegelvägen 1b, 72348 Västeras, Sweden
HostEurope GmbH, Hansestr. 111, 51149 Cologne, Germany
Plusserver GmbH, Hohenzollernring 72, 50672 Cologne, Germany
DataCamp Ltd, 207 Regent Street, London, UK,
Strato AG, Pascalstr. 10, 10587 Berlin, Germany
Domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany