������Ƶ

The Intercompany Data Processing Agreement is essential for corporate groups operating in Germany who need to establish compliant data processing relationships between group entities. This document is required whenever one group company processes personal data on behalf of another group company, ensuring compliance with Article 28 GDPR and German data protection law. It addresses specific requirements under German jurisdiction, including the BDSG, while accounting for the interconnected nature of group operations. The agreement is particularly important in the context of shared services arrangements, IT infrastructure sharing, and centralized data processing operations within corporate groups. It includes provisions for technical and organizational measures, data breach notifications, audit rights, and sub-processing arrangements, all tailored to the German legal framework and intra-group relationships.

1. Parties: Identification of the controller and processor entities within the company group, including registration details as required under German law

2. Background: Context of the agreement, relationship between the group companies, and purpose of the data processing arrangement

3. Definitions: Key terms used in the agreement, including GDPR-specific terminology and company group-specific terms

4. Scope and Purpose of Processing: Detailed description of the processing activities, categories of data, and processing purposes

5. Duration of Processing: Term of the agreement and processing activities

6. Nature and Purpose of Processing: Specific details about how and why the data will be processed

7. Obligations of the Processor: GDPR Article 28 requirements including processing only on documented instructions, confidentiality, security measures, and sub-processor requirements

8. Obligations of the Controller: Responsibilities of the controlling entity including providing documented instructions and ensuring lawful basis for processing

9. Technical and Organizational Measures: Security measures implemented to ensure appropriate data protection

10. Sub-processing: Conditions and requirements for engaging sub-processors

11. Data Subject Rights: Procedures for handling data subject requests and providing assistance

12. Data Breach Notification: Procedures and timeframes for reporting data breaches

13. Audit Rights: Controller's rights to audit and processor's obligations to demonstrate compliance

14. Termination: Conditions for termination and data handling upon termination

15. Governing Law and Jurisdiction: Specification of German law as governing law and jurisdiction for disputes