General Terms and Conditions
1. Scope of application
1.1 Munich Consulting Services GmbH, Keltenring 15, 82041 Oberhaching, registered in the Commercial Register B of the Local Court of Munich under HRB 287926 (“MUCS”) offers a web-based ESG Software-as-a-Service (SaaS) (“Software”) for companies.
1.2 These General Terms and Conditions (“GTC”) govern the Software subscription for customers (B2B). The Software may be subject to additional offer documents (or similar) provided by MUCS (together “Contract”).
1.3 Deviating GTC of the Customer shall not apply to the Contract unless MUCS expressly agrees to their application in text form.
2. Conclusion of contract, trial version
2.1 The use of the Software requires the creation of an account (“Account”). By setting up an Account, the Customer submits a binding offer to conclude a contract for the free use of the Software for test purposes (“Free Version”). MUCS may accept this offer at its own discretion by sending a notification to the e-mail address provided with the access data for the Account set up. By activating the account, MUCS grants the Customer a free right to use the Software for a period of 14 days for test purposes (“Test Period”). The customer is only entitled to one test period. MUCS may extend the Test Period at its own discretion. At the end of the Test Period, the Customer’s account shall be restricted.
2.2 After expiry of the test period in accordance with Section 2.1, the customer may conclude a chargeable contract with MUCS for the use of the software.
2.3 The customer can conclude chargeable contracts by
a. selecting the “Premium Version” of the Software, adding the required contract information in his account and having this confirmed by MUCS, or
b. requesting a corresponding offer in written or text form from MUCS and the Customer accepting it.
3. Scope of software and services
3.1 MUCS shall make the software available during the term of the contract. The functional scope of the Software and the description of the Services shall be made available to the Customer on the website of ESG International Standardization Association e.V. (“ESGISA”) (www.esgisa.org) (“Service Description“).
3.2 Without limiting any other rights or remedies, MUCS may temporarily suspend the Customer’s access to any part of the Software (without liability) if
a. MUCS determines, in its reasonable discretion, that (i) there is a threat or attack on the Software or any other event that may pose a risk to the Software, the Customer or any third party; (ii) the Customer’s use of the Software interferes with the Software or any third party or poses a security risk to the Software or any third party; or
b. MUCS has notified Customer that any amount owed by Customer under the Agreement is 30 or more days past due and Customer has failed to make payment in full within five (5) days of receipt of such notice (collectively, “Suspensions”). MUCS shall notify Customer in advance (to the extent reasonably possible) of any Suspension and inform Customer of the continuation of the Software and Services following a Suspension.
4. Availability
4.1 MUCS shall provide the Software with an annual average availability of 98%. Excluded are times when the server is unavailable due to other technical problems beyond the control of MUCS (e.g. force majeure). Also excluded are planned maintenance work (e.g. software updates) that take place outside Monday to Friday between 10:00 a.m. and 4:00 p.m. BST/CEST/CET (“Normal Business Hours”).
4.2 Troubleshooting shall commence within three working days. Delays in fault rectification for which the customer is responsible (e.g. due to the unavailability of a contact person on the customer side or late notification of the fault) shall not be counted towards the fault rectification time.
4.3 The customer can contact support via info@esgisa.org.
5. Obligations of the customer
5.1 The following obligations are primary obligations of the customer and are not to be classified merely as secondary obligations or duties.
5.2 The customer is obliged to check the functionalities of the software during the test period in accordance with Section 2.2 and to notify MUCS in text form of any possible defects and other deviations from the service description before concluding a fee-based contract for the use of the software. The customer may not invoke defects and other deviations from the service description that were already known or present during the test period but were not reported before the conclusion of a fee-based contract for the use of the software.
5.3 The customer is solely responsible for the content and data processed in the software. The customer is obliged to use the software only in accordance with the contract and within the framework of the applicable statutory provisions and not to infringe any third-party rights during use. The customer shall inform MUCS immediately in text form about :
a) the misuse or suspicion of misuse of the Software and Services;
b) a risk or suspicion of a risk to compliance with data protection or data security that occurs in the course of the provision of the contractually agreed service;
c) a risk or the suspicion of a risk to the service provided by MUCS, e.g. due to loss of access data or hacker attack.
5.4 The customer is obliged to ensure the following technical requirements:
5.4.1 The connection to the Internet with sufficient bandwidth and latency is the responsibility of the customer.
5.4.2 The customer is responsible for taking state-of-the-art IT security measures to ensure that the use of the software in its own organization is subject to appropriate security standards.
5.4.3 The customer is obliged to ensure that its users of the software do not pass on their access data.
5.4.4 The customer must ensure the security of the Internet connection used, in particular for the use of company-owned instead of public Virtual Private Networks (VPN) and for the use of VPN connections in public networks.
5.4.5 The Customer shall be responsible for the technical setup and administration of the account. This applies regardless of whether MUCS supports the customer in any way in setting up the account. This includes: (i) the technical setup of the account, in particular the migration of data, configuration of processes; (ii) the administration of the account, in particular the creation of users and roles as well as the allocation of access.
6. Granting of rights
6.1 MUCS grants the customer a non-exclusive, non-transferable and time-limited right to use the subscribed software for the agreed term.
6.2 The customer undertakes to use the software only in accordance with the contract and not to allow third parties to use it. Insofar as the software plan provides for this, the customer’s right of use shall also extend to the customer’s affiliated companies within the meaning of § 271 HGB (German Commercial Code), §§ 15 ff. AktG or to affiliated companies / holding companies / subsidiaries within the scope of the applicable corporate law provisions.
6.3 In order to further develop and improve the software, MUCS may process non-personal or anonymized data. For this purpose, MUCS may anonymize the data stored in the Software. The Customer agrees that MUCS holds all rights to such non-personal or anonymized data and may use it in any way for development, diagnostic, corrective, security, marketing or other purposes.
7. Term and termination
7.1 Subject to Section 2.1, the Agreement shall enter into force on the day it is signed and shall end one (1) year after the initial provision of the software access code to the Customer. Unless one of the parties terminates the Agreement at least three (3) months before expiry, the Agreement shall be automatically renewed for a further one (1) year period.
7.2 Either party may terminate the contract by giving three (3) months’ notice to the end of each new period of one (1) year.
7.3 The right of both parties to terminate the contract for good cause remains unaffected.
7.4 Notice of termination must be given in text form.
8. Terms of payment
8.1 The prices for the software shall apply in accordance with the respective offer on ESGISA’s website (www.esgisa.org) at the time the contract is concluded, unless otherwise agreed. All amounts are exclusive of applicable taxes and duties.
8.2 Any discounts agreed at the time of conclusion of the contract shall not apply to the extension of the contract unless the parties have expressly agreed to this.
8.3 Unless otherwise agreed, the granting of rights for the Software (see clause 6) shall be invoiced annually in advance at the time of order or, if applicable, at the time of renewal of the Contract (see clause 7.1).
8.4 Invoices are due for payment without deduction within thirty (30) days of the invoice date. Electronic invoices shall be sent to the customer.
9. Warranty, liability for defects
9.1 Clauses 9.2, 9.4, 9.6 and 9.7 shall only apply in the case of the provision of software by MUCS against payment. Insofar as MUCS provides software free of charge, MUCS’s liability for damages shall be limited to fraudulent intent.
9.2 MUCS shall provide the software free of material defects and defects of title (e.g. infringement of third-party property rights) and shall maintain the software in a condition suitable for use in accordance with the contract during the term of the contract.
9.3 Any defects or disruptions to system availability must be reported by the customer as soon as they become known, stating the circumstances of their occurrence. In the event of software malfunctions, the customer shall support MUCS to a reasonable extent in troubleshooting and eliminating errors.
9.4 MUCS shall remedy the defect within a reasonable period of time. In the event of reports and disruptions to system availability that lead to a total failure of the software and which are received within the support times (published by MUCS), MUCS shall endeavour to provide a response time of 24 hours from the start of the malfunction. In the case of minor errors which do not lead to a total failure of the software and which occur during ongoing operation, MUCS shall endeavour to respond no later than three working days after receipt of the error message.
9.5 MUCS is entitled to point out temporary workarounds and to eliminate the actual cause later by adapting the software, insofar as this is reasonable for the customer.
9.6 Strict liability for initial defects in accordance with § 536a I Alt. 1 BGB is excluded.
9.7 Claims for defects shall become time-barred within six months. This shall not apply to claims for damages for which MUCS is compulsorily liable by law (see Section 10.1).
10. Limitation of liability
10.2 In the event of slight negligence, MUCS shall only be liable for damages caused by MUCS in the case of services against payment and which are based on such material breaches of duty which jeopardize the achievement of the purpose of the contract or on the breach of obligations, the fulfilment of which is essential for the proper execution of the contract and on the observance of which the customer may rely (so-called breach of cardinal obligations). In these cases, the liability of MUCS is limited to the foreseeable damage typical for the contract. Liability for the slightly negligent breach of obligations that are not cardinal obligations (cf. Section 10.2 sentence 1) is excluded, unless MUCS is liable under the law (cf. Section 10.1 sentence 2).
10.3 In the event of the provision of services free of charge (e.g. within the scope of the test period), MUCS shall only be liable for damages caused by intent or gross negligence as well as fraudulent intent. This limitation of liability shall not apply to damages resulting from injury to life, body or health, for which MUCS shall be liable without limitation.
10.4 The limitations of liability in clauses 10.1 to 10.3 shall also apply to claims against executives, employees, other vicarious agents or subcontractors of MUCS.
11. Data protection and confidentiality
11.1 MUCS acts as processor for the customer data stored and processed in the software and the customer is the controller of this data. For all Customers, the Data Processing Schedule 1 (“Data Processing Agreement”) is hereby agreed and incorporated and forms an integral part of the Contract. In the event of a conflict, the Data Processing Agreement shall take precedence over these GTC.
11.2 “Confidential Information” means any information, whether in written or oral form, which (i) is by its nature confidential or confidential or (ii) the party to whom the information is disclosed must recognize as confidential and confidential due to the particular circumstances. Confidential information includes, in particular, product descriptions and specifications as well as prices. The parties undertake the following:
a) Not to disclose Confidential Information of the other party to third parties without express consent (at least in text form).
b) To use the confidential information only for contractually agreed purposes.
c) To take at least the same security measures that they take in relation to their own confidential information. These precautions must be at least adequate to prevent disclosure to unauthorized third parties. In addition, both parties are obliged to prevent the unauthorized disclosure or use of confidential information by their customers, employees, subcontractors or legal representatives.
d) To inform each other in text form of any misuse of confidential information.
11.3 Confidential information is not information that:
a) Was known to the other party prior to transmission and without an existing confidentiality agreement,
b) Transmitted by a third party who is not subject to a similar confidentiality agreement,
c) Otherwise publicly known,
d) Developed independently and without the use of confidential information
e) Has been released for publication in text form, or
f) Must be disclosed pursuant to a legally binding court or administrative order, provided that the party affected by the disclosure is informed in good time in order to be able to take legal protection measures.
11.4 Neither party may obtain confidential information through reverse engineering. In this context, “reverse engineering” means all actions, including observing, testing, examining and reassembling, with the aim of obtaining confidential information.
11.5 The restrictions contained in clauses 11.2 to 11.4 shall apply beyond the termination of the contractual relationship.
12. Reservations of change
12.1 MUCS has the right to change these GTC at any time or to change regulations for the use of newly introduced additional services or functions of the software. Amendments and supplements to these GTC shall be notified to the customer by e-mail to the e-mail address provided at least four weeks before the planned entry into force of the amendments. The customer shall be deemed to have consented to the amendment of the GTC if the customer does not object to the amendment in text form within a period of two weeks, beginning on the day following the announcement of the amendment. The announcement must refer to the change, the possibility of objection, the objection period, the text form requirement and the result of the objection.
12.2 MUCS reserves the right to change the software in order to offer different functionalities, unless the changes or deviations are unreasonable for the customer. If the provision of a modified version of the software or a change in the functionality of the software is accompanied by significant changes to the customer’s work processes supported by the software and restrictions in the usability of the previously generated data, MUCS shall notify the customer of this in text form at least four weeks before the date on which such a change comes into force. If the customer does not object to the change in text form within a period of two weeks after receipt of the notification of change, the change shall become part of the contract. The notification of change shall refer to the change, the possibility of objection, the objection period, the text form requirement and the result of the objection.
12.3 MUCS also reserves the right to change the software in order to offer different functionalities, (i) insofar as this is necessary to bring the services offered by MUCS into compliance with the law applicable to these services, in particular if the legal situation changes; (ii) insofar as MUCS complies with a court or official decision addressed to MUCS; (iii) insofar as this is necessary to eliminate security gaps in the software; (iv) due to significant changes in the services or contractual conditions of third-party providers or subcontractors or (v) insofar as this is predominantly advantageous for the customer. In particular, MUCS reserves the right to restrict or discontinue the provision of additional functionalities or integrations if the technical partners for these additional functionalities or the providers of partner integrations significantly change or restrict their services or contractual conditions and MUCS can therefore no longer be expected to continue providing them, e.g. because the additional effort required by MUCS is disproportionately high. In the case of an annual contract period, the customer shall receive a reasonable pro rata refund of the remuneration paid in advance, provided that the additional functionality or integration was invoiced separately.
12.4 MUCS is entitled to adjust its list prices annually by a reasonable amount to compensate for increases in personnel costs or other costs. MUCS shall notify the customer of these price adjustments and the date on which the price adjustment takes effect in text form. The price adjustments shall not apply to periods for which the customer has already paid. If the price increase amounts to more than 5% of the previous price, the customer may object to this list price increase within a period of two weeks from notification. A change in the price due to a change in the scope of services or the number of employees to be managed shall not be deemed a price adjustment within the meaning of this clause 12.4.
12.5 If the customer objects to a change within the meaning of this Section 12 in accordance with the respective notification obligations, the proposed change shall not take effect and the contract shall continue under the previous conditions. In this case, MUCS reserves the right to terminate the contract extraordinarily with one month’s notice.
12.6 With the exception of the amendments referred to in Clauses 12.1 to 12.4, the parties must agree any amendment to the contract in text form.
13. Final provisions
13.1 Unless otherwise agreed, notifications and declarations under this contract must be made in writing, which also includes text form (e.g. e-mail). Amendments to the contract must be made in writing or text form. This also applies to the waiver of this formal requirement.
13.2 If any provision of the Contract is invalid or unenforceable, the other provisions of the Contract shall remain enforceable and the invalid or unenforceable provision shall be deemed to be modified so as to be valid and enforceable to the maximum extent permitted by law.
13.3 The contract between the parties shall be governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising from and/or in connection with the contract between MUCS and the customer is, as far as legally permissible, Munich.
Annexure 1 - Data Processing Agreement
1. General regulations
1.1 Introduction, scope of application, definitions
1.1.1 This Data Processing Agreement governs the rights and obligations of the Customer (“Controller”) and MUCS (“Processor”) in the context of the processing of personal data on behalf of MUCS (“Annex”). This Annex is designed to comply with the provisions of the applicable EU General Data Protection Regulation (“GDPR”). In the event of any conflict between the provisions of this Schedule and the Contract, the provisions of this Schedule shall prevail.
1.1.2 Unless otherwise defined in this Schedule, the definitions of the Agreement and the GDPR shall apply.
1.1.3 The Controller agrees to the terms of this Schedule on its own behalf and on behalf of any Affiliates that may be involved in the Processing of Personal Data under this Schedule.
1.2 Subject matter of the processing, categories of data and data subjects
1.2.1 Details regarding the possible data processing are set out in sections 1.2.2 and 1.2.3. The Controller acknowledges that the scope of data processing is at the discretion of the Controller and may vary depending on the use of the Software and Services.
1.2.2 The following data types/categories are regularly subject to processing:
a) Personnel master data (in particular name, address, e-mail)
b) Contract master data
c) Contract billing and payment data
1.2.3 The categories of data subjects affected by the processing may regularly include, in relation to the controller (or an affiliated company of the controller)
a) Employees – freelancers, employees or volunteers
b) Former employees – freelancers, employees or volunteers
The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union, another state party to the Agreement on the European Economic Area or a state with an adequate level of data protection in accordance with Art. 45 GDPR, which is determined by the European Commission.
1.2.4 The Processor may only carry out an international transfer of personal data to a country outside the European Economic Area in accordance with the GDPR and must take appropriate protective measures to the extent required by the GDPR.
1.2.5 The Processor shall process personal data for the duration of the provision of the relevant software or services, unless otherwise agreed in writing.
2. Confidentiality
The processor shall ensure confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. (b), 29 and 32 para. 4 GDPR. The processor shall ensure that all persons it engages to process personal data are subject to a (contractual or statutory) duty of confidentiality.
3. Obligations of the controller
3.1 The Controller shall be responsible for compliance with the GDPR in relation to the use of the Software and Services (as applicable).
3.2 The Controller shall inform the Processor immediately if it discovers any errors or irregularities with regard to the processing with regard to data protection regulations.
3.3 If necessary, the Controller shall inform the Processor of the contact person for data protection issues arising within the scope of this Annex.
4. Instructions
4.1 The Processor may only process the Personal Data in accordance with the Controller’s instructions (provided that these instructions fall within the scope of the Software) or to the extent necessary to comply with the GDPR. The Processor shall notify the Controller immediately if it believes that an instruction may violate the GDPR. The Processor shall not be obliged to comply with any such instruction in breach of the GDPR unless the matter has been resolved by mutual agreement between the parties.
4.2 The Controller shall designate the persons exclusively authorized to issue instructions within the Software. If no person authorized to issue instructions is named, only natural persons who are authorized to legally represent the Controller are entitled to issue instructions. The Processor may suspend the execution of instructions until the Controller has proven to the Processor that it is authorized to legally represent the Controller.
5. Obligations of the processor
5.1 General obligations of the Processor
5.1.1 The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultation with the supervisory authority, in each case solely in relation to the Processing of the Controller’s Personal Data, taking into account the nature of the Processing and the information available to the Processor. The Processor may charge the Controller for the assistance to the extent that it is not commercially reasonable for the Processor to provide such assistance free of charge (taking into account the scope, complexity and timeframe). The Processor shall inform the Controller in advance of the estimated remuneration.
5.1.2 The Processor shall inform the Controller without undue delay of any inspections and measures taken by the supervisory authority insofar as they relate to this Annex. This shall also apply if a competent authority investigates the Processor in the context of administrative offense or criminal proceedings relating to the processing of personal data from this order processing, unless the Processor is legally or officially obliged to refrain from notification.
5.2 Verifications
5.2.1 The Controller shall be entitled to verify compliance with the obligations under this Annex, the technical and organizational measures (“TOM”) and the data protection regulations by agreement – taking into account a 14-day lead time – with the Processor during the Processor’s normal business hours or to have them verified by auditors to be appointed in individual cases. For this purpose, the controller may, among other things, inspect the relevant buildings and facilities of the processor, obtain information or inspect its own data, taking into account the legitimate interests of the processor. For inspections that become necessary due to a security incident or a more than insignificant breach of the provisions on the protection of personal data or provisions of this Annex (“incident-related on-site inspection”), the notification period from sentence 1 is shortened to a reasonable period of time. Furthermore, ad hoc on-site inspections are not subject to the restrictions of sections 5.2.3.-5.2.4. of this Annex.
5.2.2 The processor may make consent to the audit conditional on the auditor signing an appropriate confidentiality agreement. If the auditor commissioned by the Controller is in a competitive relationship with the Processor or if there is another justified case, the Processor shall have the right to object to this.
5.2.3 Within the scope of this section, the Processor shall only be obliged to tolerate and cooperate in one on-site inspection per calendar year without cause. The cost of an on-site inspection without cause is generally limited to one day per calendar year for the Processor.
5.2.4 If and as long as the Processor provides evidence of the fulfilment of its obligations, in particular the implementation of the TOM and its effectiveness, by means of suitable evidence, it reserves the right to refuse the on-site inspection of this section without cause. Suitable evidence may in particular be approved codes of conduct within the meaning of Art. 40 GDPR or an approved certification procedure within the meaning of Art. 42 GDPR. Both parties agree that the submission of certificates or reports from independent bodies, a conclusive data security concept or suitable certification through an IT security and data protection audit are also recognized as suitable evidence.
6. Technical and organizational measures
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor has implemented and maintains TOMs to ensure an adequate level of security of the Controller’s personal data. The Processor shall make the current version of the TOM available on request.
6.2 The TOMs are subject to technical progress and further development. The Processor may update or change the security measures from time to time, provided that such updates and changes do not affect or reduce the overall security of the Software and Services.
7. Subcontracting relationships
7.1 Subcontracting relationships within the meaning of this Annex are only those services that are directly related to the provision of the main service as described in Section 1.2.1. MUCS uses the following subcontractors for the aforementioned processing:
Service provider | Company headquarters | Service | Processing location | Agreement |
GASQ Service GmbH | Keltenring 15, 82041 Oberhaching | IT-Support, Development | Germany, Munich | DPA
|
Amazon Web Services, Inc. | 410 Terry Avenue North, Seattle WA 98109, USA | Hosting | Germany, Frankfurt | DPA |
ESG International Standardization e.V. (ESGISA) | Keltenring 15, 82041 Oberhaching | Support, Organization, Marketing | Germany, Munich
| DPA |
7.2 The commissioning of subcontractors for the processing or use of personal data is only permitted with the consent of the controller. For the subcontractors listed within MUCS at the time of the conclusion of the contract, this authorization shall be deemed to have been granted.
7.3 The Processor may remove subcontractors or add new ones. The Processor shall inform the Controller in text form by active notification (e-mail) if it intends to remove a subcontractor or appoint a new one. If the controller does not raise a reasoned objection on data protection grounds in text form (e-mail) within 14 days of receipt of the notification, this shall be deemed to constitute consent to the change. If the parties are unable to reach an agreement in the event of an objection, the Processor may terminate the Agreement with immediate effect.
7.4 If the Processor places orders with subcontractors, the Processor shall be responsible for transferring its data protection obligations under this Annex to the subcontractors and concluding a contractual agreement with them in accordance with Art. 28 para. 3 GDPR. The Processor shall remain responsible for every act or omission of its subcontractors.
8. Rights of data subjects
8.1 If a data subject contacts the Processor with a request under Chapter III of the GDPR with regard to the rights of data subjects, the Processor shall refer the data subject to the Controller, provided that an assignment to the Controller is possible after the data subjects have been identified.
8.2 The Controller acknowledges that the Software enables comprehensive self-management of its personal data in order to support it in fulfilling its obligations under the GDPR (including its obligations to respond to requests from data subjects). Insofar as the Controller is not able to process a request independently, the Processor shall provide appropriate support.
8.3 The Processor shall not be liable if the Data Subject’s request is not answered, not answered correctly or not answered on time by the Controller and this is solely the fault of the Controller.
9. Information and notification obligations
9.1 The Processor shall notify the Controller without undue delay as soon as it becomes aware of a personal data breach affecting the Controller’s personal data. The notification shall be made in accordance with Article 33 of the GDPR.
10. Release and deletion of data
10.1 Upon termination of the commissioned processing, the Processor shall return the transferred personal data in accordance with the following paragraphs. As a rule, the commissioned processing shall be terminated at the end of the contract.
10.2 The processor is obliged to retain the personal data provided for a period of 30 days after the end of the contract. The Controller shall be entitled to request the return of the personal data in a machine-readable format or the deletion of the stored personal data or, if possible, to download the data directly from the software in text form at any time up to the expiry of this period. The controller is solely responsible for the timely export of its data.
10.3 If the Controller issues the Processor with a binding deletion instruction in text form, the Processor shall be entitled to delete the data even before the retention period pursuant to Section 10.2 expires. The only exception to this is data that the processor is legally obliged to retain.
10.4 If the Controller has neither requested the data to be surrendered nor requested the deletion of the data by the expiry of the period pursuant to Section 10.2, the Processor shall be obliged to delete this data.
11. Liability
11.1 Both parties shall be liable pursuant to Art. 82 GDPR for any damage caused by a breach of this Addendum or the GDPR.
11.2 If both parties are responsible for claims of data subjects or third parties pursuant to Art. 82 para. 4 GDPR, the controller shall be solely liable for the damage, unless part of the total damage is attributable to the processor. The controller shall bear the burden of proof that the damage is not attributable to circumstances for which it is responsible.
11.3 Any limitations of liability in this Addendum shall not apply in the event of intent or gross negligence or in the event of injury to life or limb.
11.4 Otherwise, liability shall be governed by the contract.
12. Final provisions
12.1 Both parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the other party obtained in the course of the contractual relationship, even after termination of the contract. This also applies in particular to the content of this Annex and to all documents, evidence, etc. provided in the course of the data protection audit. If there is any doubt as to whether information is subject to confidentiality, it shall be treated confidentially until written release by the other party.
12.2 Amendments and supplements to this Annex and all its components – including any assurances given by the Processor – shall be made in text form (e-mail) in accordance with the GDPR, which may also be in electronic form, and shall require an express reference to the fact that these terms and conditions have been amended or supplemented. This also applies to the waiver of this formal requirement. The parties agree that amendments to this addendum may be made in an electronic format in accordance with Art. 28 para. 9 GDPR.
12.3 Amendments and supplements to this Addendum and all its components – including any assurances given by the Processor – shall be made in text form (including e-mail) in accordance with the GDPR, which may also be in electronic form, and shall require an express reference to the fact that these terms and conditions have been amended or supplemented. This also applies to the waiver of this formal requirement. The parties agree that amendments to this addendum may be made in an electronic format in accordance with Art. 28 para. 9 GDPR.
12.4 The law of the Federal Republic of Germany shall apply. The UN Convention on Contracts for the International Sale of Goods (CISG) shall not apply. The exclusive place of jurisdiction for all disputes in connection with this Addendum is, as far as permissible, Munich.
12.5 This Addendum supersedes all prior or contemporaneous representations, understandings, agreements, contracts or communications between the Controller and the Processor, whether written or oral, relating to the subject matter of this Addendum.
12.6 This Schedule supersedes all prior or contemporaneous representations, understandings, agreements, contracts or communications, whether written or oral, between the Controller and the Processor relating to the subject matter of this Schedule.