Order processing contract

Order processing contract in accordance with Art. 28 GDPR

The following contract is concluded between the Clockodo customer (controller) and Clockodo GmbH (processor), Viktoriastraße 25 A, 59425 Unna, Germany (download contract as PDF).

As of: June 3, 2025

Recitals

This agreement specifies the contracting parties’ obligations concerning data protection arising from the contractual relationship existing between the contracting parties regarding the use of the SaaS solution clockodo.com and the General Terms and Conditions. The Client is the data con-troller under data protection law, the Contractor is the processor.

1. Purpose and duration of the order

1.1. The subject matter of the order is detailed in the General Terms and Conditions and the description in Annex 1.
1.2. The duration of this order (term) corresponds to the duration of the General Terms and Con-ditions.
1.3. This contract replaces all previous order-processing agreements.

2. Specifics of the order

2.1. A detailed description of the subject matter of the order with regard to the scope, nature and purpose of the Contractor's tasks can be found in Annex 1.

The contractually agreed data processing shall take place exclusively within a Member State of the European Union, or in another state, that is party to the Agreement on the European Economic Area. Relocations or data processing in a third country may only take place if the specific requirements of Art. 44 et seq. GDPR are met. The adequate level of protection is determined by an adequacy decision of the Commission (Art. 45 (3) GDPR) or is established by binding corporate rules (point (b) of Art. 46 (2) in conjunction with 47 GDPR), it can also be established by standard data protection clauses (point (c) and (d) of Art. 46 (2) GDPR) or an approved code of conduct (point (e) of Art. 46 (2) in conjunction with 40 GDPR), proof can also be provided by an approved certification mechanism (point (f) of Art. 46 (2) in conjunction with 42 GDPR).

2.2. The type of personal data used (categories of data) and the categories of data subjects are specifically described in Annex 1.

3. Technical and organisational measures

3.1. The Contractor shall document the implementation of necessary technical and organisational measures prior to the start of the processing, in particular with regard to the specific execution of the order, and shall make them available to the Client. The current version of the technical and organisational measures can be found at https://www.clockodo.com/en/data-privacy/.

3.2. The Contractor shall establish the security according to point (c) of Art. 28 (3), 32 GDPR especially in conjunction with Art. 5 (1), (2) GDPR. Overall, the measures to be taken are data security measures and are taken to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. In the process, the state of the art, the costs of implementation, the nature, scope and purposes of processing, and the varying likelihood and severity of the risk to the rights and freedoms of natural persons shall be considered within the meaning of Art. 32 (1) GDPR.

3.3. The technical and organisational measures are subject to changes in technology and other developments. In that regard, the Contractor is permitted to implement adequate alternative measures. In so doing, the security level must not fall below that of the previously agreed measures. Significant changes shall be documented.

4. Rectification, erasure and restriction of personal data

4.1. If, due to applicable data protection laws, the Client is required to provide information to an individual regarding the collection or processing of that individual's data, the Contractor shall assist the Client in providing such information. This presupposes that the Client has re-quested the Contractor to do so in writing or in text form. The Contractor shall not respond to any requests for information and shall refer the data subjects to the Client in this respect.

4.2. If a data subject contacts the Contractor with requests for rectification, erasure or restriction, the Contractor shall refer the data subject to the Client.

5. Quality assurance and other Contractor obligations

In addition to complying with the provisions of this order, the Contractor has legal obligations according to Art. 28 to 33 GDPR; in this respect, the Contractor shall, in particular, ensure com-pliance with the following requirements:

• The Contractor shall appoint a data protection officer in writing, who will perform his/her duties in accordance with Art. 38 and 39 GDPR. The contact details can be found at https://www.clockodo.com/en/data-privacy/.
• The Contractor shall ensure that confidentiality is maintained in accordance with point (b) of Art. 28 (3) sentence 2, 29 and 32 (4) GDPR. In carrying out work, the Contractor shall exclu-sively use employees who are bound to confidentiality and who have previously been famil-iarised with the relevant data protection provisions. The Contractor and any person under the Contractor’s authority who has access to personal data may only process such data exclu-sively in accordance with the Client’s instructions, including the powers granted in this con-tract, unless they are legally obligated to process the data.
• The Client and the Contractor shall cooperate, on request, with the supervisory authority in the performance of its tasks. The Contractor shall immediately notify the Client of any control procedures and measures taken by the supervisory authority insofar as they relate to this order. This shall also apply insofar as a competent authority is conducting an investigation into administrative or criminal offenses by the Contractor with regard to its processing of personal data. If the Client is subject to an inspection by the supervisory authority, administrative or criminal proceedings, the liability claim of a data subject or a third party, or any other claim in connection with the order processing by the Contractor, the Contractor shall support the Client to the best of its ability.

6. Subcontractor

6.1. Subcontracting within the meaning of this regulation includes those services that relate di-rectly to the provision of the main service. The Contractor shall be obligated to enter into appropriate and legally binding contractual agreements and control measures to ensure the protection and security of the Client's data, especially when such services are outsourced.

6.2. The Contractor uses the subcontractors referred to in Annex 2 to carry out individual pro-cessing activities. Changing existing subcontractors as well as the engagement of additional subcontractors shall only be permissible if the Contractor notifies the Client of such outsourc-ing to another subcontractor a reasonable time in advance, but at least four weeks, and the Client does not object to the planned change in writing or in text form to the Contractor by the time the data are handed over. In the event of technical problems or data protection incidents at the subcontractor, the Contractor shall be entitled to change the subcontractor immediately and without observing a specified deadline in order to ensure the continued provision of the service offered. A contractual agreement pursuant to Article 28 (2–4) GDPR is mandatory.

7. Control rights of the Client

7.1. The Client shall be entitled to carry out checks in consultation with the Contractor or to have them carried out by inspectors to be appointed on a case-by-case basis. It has the right to conduct periodic random checks in its business operations, which must generally be notified at least four weeks in advance, to ensure compliance with this agreement by the Contractor.

7.2. The Contractor shall ensure that the Client can satisfy itself of the Contractor's compliance with the obligations pursuant to Art. 28 GDPR. The Contractor undertakes to provide the necessary information to the Client upon request and to demonstrate in particular the imple-mentation of the technical and organisational measures.

7.3. Proof of such measures, which do not only concern the specific order, may be provided by compliance with an approved code of conduct pursuant to Art. 40 GDPR, certification in ac-cordance with an approved certification mechanism pursuant to Art. 42 GDPR or current cer-tificates, reports or report extracts from independent bodies (e.g. accountants, auditing, data protection officer, IT security department, data protection auditors, quality auditors) or suita-ble certification by way of IT security or data protection audits.

8. Notifications in the event of breaches by the Contractor

8.1. The Contractor shall support the Client in complying with the obligations regarding the secu-rity of personal data, notification obligations in the event of data breaches, data protection impact assessments and prior consultations set out in Articles 32 to 36 GDPR. This includes ensuring an adequate level of protection by way of technical and organisational measures that take into account the circumstances and purposes of the processing as well as the pre-dicted likelihood and severity of a potential legal infringement due to vulnerabilities and allow for the immediate detection of relevant violations. The Contractor shall be obligated to report personal data breaches to the Client without delay. Likewise, the Contractor shall support the Client as part of its duty to inform the data subject and, in this context, shall provide the Client with all relevant information without delay, and, in particular, shall support the Client in its data protection impact assessment or in the context of prior consultations with the supervisory authority.

8.2. The Contractor shall be entitled to charge for support services not included in the service description and which are not attributable to the improper conduct of the Contractor or a subcontractor, which is coordinated and agreed with the client in advance in individual cases.

9. The Client's authority to issue instructions

9.1. The Client shall confirm verbal instructions without delay (at least in text form).

9.2. The Contractor shall notify the Client immediately if it believes an instruction is in breach of applicable data protection regulations. The Contractor shall be entitled to suspend the per-formance of the relevant instruction until it is confirmed or amended by the Client.

10. Erasure and return of personal data

10.1. Copies or duplicates of data shall not be created without the Client’s knowledge. This does not include backup copies, insofar as they are necessary to ensure proper data processing, as well as data which are necessary with regard to compliance with statutory retention obli-gations.

10.2. Upon termination of the service agreement the Contractor will delete or return all data re-sources that are related to the contractual relationship. The data may be returned by export-ing it from the application; the data shall be deleted after the retention period specified in the General Terms and Conditions or at the direct instruction of the Client.

10.3. The Contractor shall document the proper processing of the data as agreed and retain said documentation for the statutory retention period beyond the termination of this contract.

11. Information obligations, written form clause, choice of law

11.1. Amendments and supplements to this Annex and all its constituent parts—including any warranties made by the Contractor—shall require express agreement and express reference to the fact that it is an amendment or supplement to these terms. This also applies to the waiver of this written form requirement.

11.2. In the event of any contradictions, the provisions of this agreement shall take precedence over the provisions of the General Terms and Conditions. Should any part of this agreement be invalid, this shall not affect the validity of the overall agreement.

Annex 1: Subject matter of the order

The subject of the data handling order is the Contractor’s performance of the following tasks:

In particular, the following activities are part of the data processing. Storage of the data entered by the Client via the user interface of clockodo.com in a database, reproduction, systematisation, tabular and/or graphical analysis of the data as well as erasure of the data at the Client’s request, maintenance and hosting of the IT systems, software and databases underlying the service and the handling of backups.

The Contractor processes personal data on behalf of the Client. This is done by using clockodo.com, a SaaS solution for time tracking. The personal data processed on the basis of the General Terms and Conditions are that which the Client enters into clockodo.com for the purpose of recording the working hours of its employees as well as for the evaluation and invoicing of its customers.

Categories of data:
☒ Contact data
☒ Master data
☒ Time recording data
☒ Health data

Scope of data subjects:
☒ Employees
☒ Customers

The Contractor has no influence on any further personal data that the Client may enter in Clockodo. It is incumbent on the Client to prove a corresponding legal basis for this.

Annex 2: Subcontracting relationship

Rapidmail

Rapidmail GmbH
Wentzingerstr. 21
79106 Freiburg i. Br.
Germany

Service: Sending newsletters and emails from the application

Microsoft

Microsoft Deutschland GmbH
Walter-Gropius-Str. 5
80807 München
Germany

Service: Web hosting of the applica-tion my.clockodo.com incl. storage of customer data (server location Germany)

CleverReach

CleverReach GmbH & Co. KG
//CRASH Building
Schafjückenweg 2
26180 Rastede
Germany

Service: Sending information on appli-cation-related functions and transactional emails (no ad-vertising)

Sentry

Functional Software Inc. d/b/a Sentry
45 Fremont Street, 8th Floor
San Francisco, CA 94105
USA

Service: Application monitoring and er-ror tracking

Hetzner

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Service: Emergency server for Clocko-do databases