General Terms and Conditions of Delivery of Wingfield GmbH

MAGDEBURG ("WINGFIELD") AS OF 08/24

A. GENERAL CONDITIONS

B. SPECIAL CONDITIONS FOR

I. SALE OF HARDWARE & USE OF TRACKING & DASHBOARD SOFTWARE

II. MAINTENANCE AND SERVICING OF HARDWARE & SOFTWARE

III. PROCESSING OF PERSONAL DATA

 

Preliminary remarks

WINGFIELD is a sports technology company that makes match and performance analysis accessible to the wider amateur racket sports community through a self-developed system that transforms any court in the world into a digital playing field. All that is needed is the Wingfield Box - an installation consisting of two cameras and a processor unit. Based on artificial intelligence and innovative image processing software, WINGFIELD is able to track and evaluate matches. The "Wingfield Court" product consists of three components:

1. Hardware, consisting of Wingfield Box, processor unit, IP camera and connection cable ("hardware"),
2. software responsible for collecting analysis data based on image processing algorithms, installed on the processor unit located in the Wingfield Box ("tracking software" or "software"),
3. an online dashboard, which is used to administer the Wingfield Box.

 

A. General conditions

1. Scope of application

1.1 The following General Terms and Conditions ("Terms and Conditions") govern the legal relationship between WINGFIELD GmbH ("WINGFIELD") and its customers ("Customer") with respect to the sale of hardware and the provision of software and the associated documentation or product description (collectively "Deliverables") as well as the maintenance and servicing of hardware and software and other services, including training, consulting, customization programming and installation services (collectively also "Contractual Deliverables").

1.2 The contractual deliveries and services of WINGFIELD shall be provided exclusively on the basis of these Terms and Conditions, unless otherwise expressly agreed between WINGFIELD and the customer in individual cases. General terms and conditions of business or purchase of the customer shall not be recognized by WINGFIELD, even if WINGFIELD does not expressly object to them.

1.3 These Terms and Conditions shall apply to all present and future business relations between WINGFIELD and the customer. However, these Terms and Conditions shall not apply to consumers within the meaning of Section 13 BGB.

 

2. Offers, orders

2.1 Unless expressly stipulated otherwise by WINGFIELD, all offers by WINGFIELD for contractual deliveries and services shall be subject to change and non-binding.

2.2 Deliveries and services between WINGFIELD and the customer shall be concluded by written order or in electronic form (in particular email) of the customer on the basis of offers made by WINGFIELD and a subsequent written or electronic declaration of acceptance ("order confirmation") by WINGFIELD (the relevant document is hereinafter also referred to as the "Contract").

 

3. Dates, deadlines, delay and impossibility for deliveries and services

3.1 Unless otherwise agreed between the contracting parties, the deadlines and dates contained in the contract are standard deadlines and dates without the character of a fixed obligation.

3.2 Compliance with deadlines and dates for contractual deliveries and services requires the timely receipt of all documents to be supplied by the customer, necessary approvals, releases and compliance with the agreed terms of payment and other obligations by the customer. If these requirements are not met, the performance period shall be extended accordingly.

3.3 Claims of the customer against WINGFIELD due to delay or impossibility of the contractual deliveries and services shall be excluded if contractually agreed deadlines and dates are not met due to circumstances or if the contractual delivery or service fails due to circumstances for which WINGFIELD is not responsible. This shall apply in particular in the event of force majeure (cf. Section A.7.).

3.4 Except where fixed deadlines have been agreed or in the event of unjustified refusal to perform, WINGFIELD shall only be in default with the contractual delivery or service if the customer has sent WINGFIELD a reminder of the failure to meet the deadline and has set a reasonable deadline for the provision of the contractual delivery or service.

 

4. Subcontractors

WINGFIELD shall perform the contractual deliveries and services itself or through the involvement of affiliated companies or third parties as subcontractors. Insofar as WINGFIELD engages affiliated companies or third parties as subcontractors, WINGFIELD shall be liable for their activities in accordance with these Terms and Conditions to the same extent as for its own conduct.

 

5. General obligations of the customer to cooperate and provide information

5.1 The customer has informed himself about the essential functional characteristics of the contractual deliveries and services and bears the risk as to whether these correspond to his wishes and requirements; in case of doubt, he shall seek advice from WINGFIELD employees or expert third parties before concluding the contract.

5.2 The customer shall be solely responsible for setting up a functional hardware and software environment for the delivery items that is also sufficiently dimensioned taking into account the additional load caused by the contractual deliveries and services. This includes in particular the following requirements for each location on which a Wingfield Box is to be installed:

5.2.1 Power cable laid on the side on which the Wingfield Box is to be installed.

5.2.2 LAN cable laid on the side on which the Wingfield Box is to be installed, which enables a data transfer rate of 10 MBit/s. in upload.

5.3 The customer shall thoroughly test the contractual deliveries and services for freedom from defects and for usability in the existing hardware and software configuration before using them. This shall also apply to software received under warranty and maintenance.

5.4 The Customer shall observe the instructions provided by WINGFIELD for the installation and operation of the contractual goods and services. These are in particular

5.4.1 Alignment of the IP camera

The IP camera included in the scope of delivery of the hardware must be aligned exclusively with the pitch and must cover as few areas as possible outside the pitch. The customer shall indemnify WINGFIELD for any data protection violations resulting from misalignment of the IP camera.

5.4.2 Installation of the signs

Any areas covered by the Wingfield Court System cameras must be marked by the installation of signs. WINGFIELD provides sufficient signs for equipped courts.

5.5 Insofar as WINGFIELD is obliged to provide further services in addition to the provision of the contractual goods and services, the customer shall cooperate to the extent necessary free of charge, e.g. by providing employees, work rooms, hardware and software, data and telecommunications equipment.

5.6 The Customer shall grant WINGFIELD access to the contractual deliveries and services for the purpose of troubleshooting and fault rectification, at the Customer's discretion directly and/or by means of remote data transmission.

5.7 The customer shall take appropriate precautions in the event that the contractual deliveries and services do not work properly in whole or in part (e.g. by checking the alignment of the IP camera, fault diagnosis, regular checks of the power supply and LAN connection).

5.8 The customer shall bear any disadvantages and additional costs arising from a breach of these obligations.

 

6. Remuneration, terms of payment

6.1 The prices are net prices, unless expressly stated otherwise; in the case of deliveries, the customer shall be invoiced separately for transportation or shipping costs and individual packaging, including statutory VAT at the applicable rate.

6.2 Travel costs and expenses shall be reimbursed separately.

6.3 Unless otherwise agreed in the respective contract or the following Special Terms and Conditions, invoices shall be due for payment within fourteen (14) days of receipt of the invoice by the customer.

6.4 In the event of default in payment by the customer, WINGFIELD shall be entitled to charge interest on arrears at the statutory rate.

6.5 The customer shall only be entitled to use the contractual goods and services beyond the contractually granted rights of use with the prior written consent of WINGFIELD. The customer may charge additional usage or booking fees for the use of a court equipped with the Wingfield Court System.

6.6 All prices are subject to the applicable statutory value added tax.

6.7 Offsetting by the customer is only permitted with undisputed or legally established claims. The customer is only authorized to exercise a right of retention to the extent that his counterclaim is based on the same contractual relationship.

 

7. Force majeure

As long as WINGFIELD (i) waits for the customer's cooperation or information or (ii) is hindered in its performance by strikes or lockouts in third-party companies or in WINGFIELD's operations (in the latter case, however, only if the labor dispute is lawful), official intervention, statutory prohibitions or other circumstances for which WINGFIELD is not responsible ("force majeure"), delivery and performance periods shall be deemed extended by the duration of the hindrance and by a reasonable start-up time after the end of the hindrance ("downtime") and there shall be no breach of duty for the duration of the downtime. WINGFIELD shall inform the customer of such hindrances and their expected duration without delay. If the force majeure lasts continuously for more than 3 months, both parties shall be released from their performance obligations.

 

8. Confidentiality and data protection

8.1 The contracting parties undertake to treat all knowledge of confidential information and trade secrets ("Confidential Information") of the other contracting party obtained in the course of the initiation and execution of the contract as confidential for an unlimited period of time and to use it only for the purpose of executing the respective contract.

8.2 The contracting parties shall only make Confidential Information accessible to employees and other third parties insofar as this is absolutely necessary for the fulfillment of the respective contract. They shall instruct all persons to whom they grant access to the Confidential Information about the obligation to maintain confidentiality and shall obligate these persons in writing to maintain confidentiality and use the Confidential Information only to the extent set forth in Section A.8.1, unless the persons concerned are obligated to maintain confidentiality at least to the extent set forth above for other legal reasons.

8.3 The above obligations do not apply to Confidential Information that

(i) were already obvious or known to the other contracting party at the time of their transmission by the contracting party;

(ii) have become apparent after their transmission by the contracting party through no fault of the other contracting party;

(iii) have been made accessible to the other contracting party by a third party after their transmission by the contracting party in a non-unlawful manner and without restriction with regard to confidentiality or utilization;

(iv) which have been developed independently by one contracting party without using the Confidential Information of the other contracting party;

(v) which must be published in accordance with the law, an official order or a court decision - provided that the publishing contractual partner informs the contractual partner of this immediately and supports him in the defense against such orders or decisions; or

(vi) insofar as the contractual partner is permitted to use or disclose the Confidential Information on the basis of mandatory statutory provisions or on the basis of the respective contract.

8.4 The confidentiality obligations under this Section A.8. shall continue to exist beyond the termination or rescission of the respective contract as long as and to the extent that one of the conditions specified in A.8.3. has not occurred with regard to the respective information.

8.5 The parties shall comply with the statutory provisions on data protection. Insofar as WINGFIELD also collects, processes or uses personal data of the customer within the scope of the contract by way of commissioned data processing in accordance with instructions, the parties shall conclude an agreement on commissioned data processing in accordance with Article 28 GDPR.

8.6 The customer expressly agrees to be listed with full name and address in the Wingfield Court Finder in the Wingfield App or on the Wingfield website in order to make it easier for users to find Wingfield Courts.

 

9. End of the right of use

In all cases of termination of its right of use (e.g. by withdrawal, subsequent delivery), the customer shall immediately return all deliveries and services that are the subject of the contract and delete all copies, unless it is legally obliged to retain them for a longer period. The customer shall assure WINGFIELD in writing that this has been done.

 

10. Reservation of title

10.1 WINGFIELD shall retain title to the contractual deliveries and services until full payment of all claims existing at the time of delivery or arising later from the contractual relationship.

10.2 If the customer is in arrears with payments for which WINGFIELD is responsible, the assertion of the retention of title by WINGFIELD shall not be deemed a withdrawal from the contract unless WINGFIELD expressly notifies the customer of this. If WINGFIELD asserts the retention of title, the customer's right to further use the goods and services covered by the contract shall lapse.

10.3 If WINGFIELD asserts the retention of title, the customer's right to further use the contractual deliveries and services shall expire.

 

11. Final provisions

11.1 The exclusive place of performance shall be - subject to special agreements in the contract - the registered office of WINGFIELD.

11.2 The customer shall be entitled to publish and use the name of WINGFIELD and a description of the contractual deliveries and services in press releases and other marketing materials. In the event of inappropriate use, WINGFIELD may refuse consent.

11.3 Amendments or additions to the respective contract or these terms and conditions must be made in writing to be effective. The same applies to the waiver of this written form requirement.

11.4 The respective contract and these terms and conditions are subject to the law of the Federal Republic of Germany to the exclusion of international uniform law, in particular the UN Convention on Contracts for the International Sale of Goods.

11.5 The exclusive place of jurisdiction for all disputes arising from or in connection with the respective contract shall be the registered office of WINGFIELD if the customer is a merchant, a legal entity under public law or a special fund under public law. If WINGFIELD brings an action, it shall also be entitled to choose the place of jurisdiction at the customer's registered office. The right of the parties to seek interim legal protection before the competent courts in accordance with the statutory provisions shall remain unaffected.

11.6 Should individual provisions of the contract or these terms and conditions be or become invalid or unenforceable, this shall not affect the validity of the contract or these terms and conditions. The invalid or unenforceable provision shall be replaced by a provision that comes as close as possible to the economic purpose of the invalid or unenforceable provision. The same applies in the event that the parties subsequently determine that the contract or the terms and conditions are incomplete.

 

B. Special conditions for

I. Sale of hardware & use of tracking and dashboard software

1. Subject matter of the contract

1.1 The customer shall purchase from WINGFIELD the hardware specified in the contract with the associated tracking software and the associated documentation or product description (together "delivery items") under the conditions set out herein.

1.2 The source code of the tracking software is not part of the delivery.

1.3 The quality of the delivery items supplied by WINGFIELD shall be conclusively determined by the performance description contained in the documentation or product description (also in audiovisual form).

WINGFIELD shall not be liable for any further quality of the delivery items. In particular, the customer cannot derive such an obligation from other representations of the delivery items in public statements or in the advertising of WINGFIELD and/or the manufacturer, as well as their employees or sales partners, unless WINGFIELD has expressly confirmed the additional quality in writing. Since the use of the Deliverables is dependent on a functioning Internet connection, WINGFIELD cannot, for technical reasons, guarantee either a specific upload speed or uninterrupted, trouble-free use of the Deliverables at all times. Furthermore, the service is temporarily limited if this is necessary with regard to capacity limits, the security or integrity of the servers or for the implementation of technical measures and this serves the proper or improved provision of the services (in particular maintenance work).

For the avoidance of doubt, WINGFIELD GmbH is not responsible for any specific accuracy of the measurement results when analyzing the game, as these are also significantly dependent on external influences that cannot be influenced, in particular lighting conditions.

1.4 Insofar as employees of WINGFIELD provide guarantees prior to the conclusion of the contract, these shall only be effective if they are confirmed in writing by the management of WINGFIELD.

1.5 Set-up, installation or establishment of technical operational readiness are the subject of the respective contract and can either be carried out independently by the customer on the basis of instructions or by WINGFIELD for an installation fee agreed in the contract.

1.6 Users of the Wingfield Box may use other software applications, such as the Wingfield App, to interact with the data collected by the Wingfield Box. Please note that these software applications are subject to their own separate terms and conditions and are not covered by the terms of this document.

 

2. Scope of use of the software

2.1 WINGFIELD grants the customer - subject to payment of the remuneration specified in the contract - a non-exclusive, perpetual right to use the software to the extent specified herein or in the contract (single license per Wingfield Box, hereinafter "software license"). A software license is required for the functionality of the Wingfield Court. If the software license is not renewed, the customer has no claim to a functional Wingfield Court.

2.2 The software includes a dashboard with the following functionalities:

• Display usage statistics
• Wingfield speaker system
• WhatsApp service chat
• Court overview
• User administration and account management

2.3 The customer may only use the tracking software in conjunction with the hardware provided to him and on the court intended for this purpose.

2.4 The customer may only use the tracking software for the operation of a Wingfield Court, unless otherwise stipulated in the contract.

 

3. Duplications, changes

3.1 Duplication of the tracking software is not permitted. The customer may not make any backup copies of the tracking software.

3.2 The customer is not authorized to make changes, extensions or other modifications to the tracking software. Any errors in the tracking software shall be rectified exclusively by WINGFIELD.

3.3 If WINGFIELD provides the customer with additions (e.g. patches, additions to the documentation) or a new edition of the software (e.g. update, upgrade) that replaces previously provided software ("old software") as part of rectification or maintenance, these shall be subject to the provisions of these Terms of Use. If WINGFIELD provides a new edition of the Software, the Customer's rights under these Terms of Use with respect to the Legacy Software shall expire as soon as the Customer starts using the new Software productively, even if WINGFIELD does not expressly request the return of the Legacy Software.

3.4 Reproduction or modification of the documentation is not permitted.

 

4. Protection of the software

4.1 Unless rights are expressly granted to the customer under these Terms and Conditions or the contract, WINGFIELD shall be exclusively entitled to all rights to the software provided - in particular copyright, rights to or in inventions and technical property rights. This shall also apply to adaptations of the software by WINGFIELD.

4.2 The customer is not permitted to change or remove copyright notices, marks and/or control numbers or control marks of WINGFIELD.

 

5. Transfer of the software

Unless otherwise stipulated in the contract, the customer may not transfer the software provided to a third party.

 

6 Delivery and performance time

6.1 Unless otherwise agreed, the software shall be delivered in the version current at the time of delivery.

6.2 WINGFIELD shall affect the delivery of Software by making the Software available on the processor unit located in the Wingfield Box.

6.3 The Customer shall install and configure the Hardware upon receipt or have the installation/configuration carried out by WINGFIELD (Section B.I.1.5.). It is the customer's responsibility to ensure that the system environment required for this is available in accordance with WINGFIELD's guidelines (Section A.5.2.).

6.4 The time at which WINGFIELD hands over the delivery items to the carrier shall be decisive for compliance with delivery dates and the transfer of risk in the case of physical shipment, and in the case of software the time at which the software is made available for retrieval.

 

7. Material defects and defects of title, other deficiencies in performance, statute of limitations

7.1 WINGFIELD warrants the agreed quality of the delivery items pursuant to Section B.I.1.3. and that the use of the delivery items by the customer within the contractual scope is not opposed by any third-party rights.

7.2 In the event of material defects, WINGFIELD shall initially provide warranty through subsequent performance. To this end, WINGFIELD shall, at its discretion, either provide the customer with a new, defect-free delivery item or remedy the defect; WINGFIELD shall also be deemed to have remedied the defect if it shows the customer reasonable ways of avoiding the effects of the defect.

7.3 If a third party asserts an infringement of property rights against the customer due to the use of the delivery items, the customer shall immediately inform WINGFIELD thereof and leave the defense against these claims to WINGFIELD as far as possible. In doing so, the customer shall provide WINGFIELD with all reasonable support. In particular, the customer shall provide all necessary information on the use and any processing of the delivery items, if possible in writing, and provide the necessary documentation. Should it be legally established that the delivery items infringe the industrial property rights of third parties, WINGFIELD may, at its discretion, rectify the defect by

(i) obtains from the person entitled to dispose of the property right a right of use in favor of the customer sufficient for the purposes of the contract, or

(ii) modifies the delivery items infringing the property rights without or only with effects on their function that are acceptable to the customer, or

(iii) replaces the delivery items infringing the property rights with delivery items whose contractual use does not infringe any property rights, without or only with effects on their function acceptable to the customer, or

(iv) supplies a new software version which, when used in accordance with the contract, does not infringe any third-party property rights.

7.4 The customer is obliged to adopt a new software version if the contractual scope of functions is retained and the adoption does not lead to significant disadvantages.

7.5 If two attempts at subsequent performance fail, the customer shall be entitled to set a reasonable grace period to remedy the defect. He must expressly point out in writing that he reserves the right to withdraw from the contract and/or demand compensation in the event of renewed failure. If the rectification of defects also fails within the grace period, the customer may reduce the remuneration or withdraw from the contract. Withdrawal is not permitted in the case of an insignificant defect. WINGFIELD shall pay damages or reimburse futile expenses due to a defect within the limits set out in Section B.I.8. After expiry of a deadline set in accordance with sentence 1, WINGFIELD may demand that the customer exercises its rights resulting from the expiry of the deadline within two weeks of receipt of the request.

7.6 The customer may only derive rights from other breaches of duty by WINGFIELD if it has notified WINGFIELD of these in writing and granted WINGFIELD a grace period to remedy them. This shall not apply if a remedy is out of the question due to the nature of the breach of duty. The limits set out in Section B.I.8. shall apply to compensation for damages or reimbursement of futile expenses.

7.7 The limitation period for all warranty claims shall be governed by the statutory framework, unless otherwise contractually agreed. In the event of intent or gross negligence on the part of WINGFIELD, fraudulent concealment of the defect, personal injury or defects of title within the meaning of § 438 para. 1 no. 1 a BGB, as well as guarantees (§ 444 BGB), the statutory limitation periods shall apply, as shall claims under the Product Liability Act.

 

8. Liability

8.1 In all cases of contractual and non-contractual liability, WINGFIELD shall pay damages exclusively in accordance with the following limits:

(i) in the event of intent and gross negligence in the full amount, as well as in the absence of a quality for which WINGFIELD has assumed a guarantee;

(ii) in other cases: only for breach of a material contractual obligation ("cardinal obligation") if this jeopardizes the purpose of the contract, but always only in the amount of the foreseeable damage. Liability for other consequential damages and loss of profit is excluded. For a single case of damage, the liability per case of damage is limited to the purchase price. The term "cardinal obligation" refers abstractly to those obligations whose fulfillment is essential for the proper execution of the contract and on whose compliance the contractual partner may regularly rely.

8.2 The limitations of liability pursuant to Section B.I.8.1. shall not apply to liability for personal injury and liability under the Product Liability Act.

8.3 WINGFIELD shall not be entitled to plead contributory negligence.

8.4 Clause B.I.7.7. shall apply accordingly to the limitation period, with the proviso that the statutory limitation period shall apply to claims under clauses B.I.8.1(i) and B.I.8.2. The limitation period pursuant to sentence 1 shall commence at the time specified in Section 199 (1) BGB. It shall commence at the latest upon expiry of the maximum periods specified in Section 199 (3) and (4) BGB

 

 

II. Maintenance and servicing of hardware and software “Wingfield Care”

1. Subject matter of the contract

These special conditions for the maintenance and care of hardware and/or software refer to the delivery items listed in the contract with the designation "Box" and specify the maintenance and care services to be provided by WINGFIELD. Additional services and delivery items (e.g. installation accessories, or IP cameras) that are not specified as "Wingfield Box" do not apply in the following regulations.

 

2. Removal of defects, repair

2.1 A prerequisite for WINGFIELD's obligation to perform according to this clause is that Customer has delivered the items to be maintained

(i) at the location specified in the contract; and

(ii) operates in the software and hardware environment specified in the Agreement.

2.2 WINGFIELD shall remedy any defects in the delivery items reported to it within a reasonable period of time.

2.3 If WINGFIELD offers Customer software patches, bug fixes, a new program version or program parts etc. ("patches") in order to avoid or eliminate defects, these will be applied by means of remote maintenance. A working internet connection to the Wingfield Box is required. If the problems cannot be solved via remote maintenance, then the WINGFIELD can either

(i) send a service representative to Customer's facility,

(ii) request Customer to return the hardware for repair at WINGFIELD's expense.

(iii) or request Customer (if and as soon as it is reasonable for Customer) to install the patch on its hardware in accordance with WINGFIELD's installation instructions. The elimination of a defect may also take the form of instructions to the customer. The customer must follow such instructions unless this is unreasonable for him. The type and method of remedying the defect shall be at the reasonable discretion of WINGFIELD.

2.4 If WINGFIELD cannot remedy a defect within the contractually agreed period of time, it may temporarily provide the customer with a workaround solution at its own expense, i.e. at WINGFIELD's expense.

2.5 If a defect of the delivery item reported by the customer does not exist, WINGFIELD shall be entitled to invoice the expenses it incurred separately according to its usual rates.

2.6 Replaced components become the property of WINGFIELD.

2.7 If parts of the hardware have been damaged by vandalism or other reasons that cannot be clearly attributed to wear and tear, any such damages are not covered by the "Wingfield Care" product.

2.8 The following examples show what is covered by by Wingfield Care and what is not covered:

Example 1: The touch screen of the "Wingfield Box Brain" fails. The "Wingfield Box Brain" will be replaced free of charge.

Example 2: The "Wingfield Box Brain" no longer has an Internet connection because the cable has a defect. In this case, the customer must replace the cable at his own expense.

2.9 WINGFIELD may perform preventive regular inspections by remote maintenance or on site. For maintenance purposes, WINGFIELD is entitled to replace the delivery items in their entirety during the contract term. Customer agrees to grant WINGFIELD access to the delivery items in order to give effect to the preceding sentence.

 

3. Hotline

If agreed in the contract, WINGFIELD shall provide a telephone hotline for the reporting of defects and for user support at the times agreed in the contract - with the exception of public holidays at the WINGFIELD site.

 

4. Delivery of new program parts

4.1 WINGFIELD shall provide the Customer with updates/upgrades/releases ("Program Parts") of the Software. This shall include the corresponding supplement or update of the documentation of the Software. The classification of the respective software version under the terms "Update", "Upgrade" and "Release" shall be at the reasonable discretion of WINGFIELD. New program parts may eliminate errors of previous versions and/or change and/or improve existing functions or include new functions. However, the delivery of new program parts does not include in particular (i) separately offered additional functions of the software; (ii) a new development of the software with the same or similar functions on a different technological basis. These new versions of the software can be acquired for additional remuneration under separate agreements.

4.2 B.II.2.3. shall apply accordingly to the delivery of program parts.

 

5. Other services

The customer may separately order the services listed below which are related to the delivery items but which are not included in the services pursuant to Section B.II.2. This applies in particular to

(i) Services to the delivery items that become necessary due to improper handling and/or breaches of obligations by the customer, for example non-compliance with instructions for use;

(ii) services to the Software that become necessary due to force majeure or other circumstances for which WINGFIELD is not responsible;

(iii) adaptations of the delivery items to modified and/or new systems of the customer.

5.1 The customer shall support WINGFIELD in the performance of the maintenance and care services at its own expense. In particular, the customer shall

(i) appoint a person responsible during the term of the contract who has all decision-making powers and authorizations required for the purposes of implementing the maintenance and service contract;

(ii) in the event of defect reports, observe the symptoms that have occurred, the delivery items and the system and hardware environment in detail and report a defect to WINGFIELD, providing information useful for remedying the defect, such as the number of users affected or a description of the system and hardware environment;

(iii) support WINGFIELD in the search for the cause of the defect;

(iv) the employees commissioned by WINGFIELD to perform the contractual services have access to the premises in which the hardware to be maintained is installed;

(v) immediately install the program parts received from WINGFIELD (including patches, bug fixes) in accordance with WINGFIELD's instructions and comply with the suggestions and instructions for remedying defects provided by WINGFIELD.

5.2 The customer shall provide WINGFIELD with remote access to the hardware at its own expense (including connection costs).

 

6. Remuneration

6.1 The maintenance and service fee and the calculation periods are set out in the contract.

6.2 WINGFIELD shall be entitled to adjust the agreed remuneration for deliveries and services. The announcement must be made in writing. An increase shall take effect three months after the announcement. In the event of an increase of more than 5%, the customer shall be entitled to terminate the deliveries and services subject to the contractual notice period.

 

7. Material defects and defects of title, statute of limitations

7.1 Material defects shall be remedied during the term of the maintenance and service contract as part of the remedying of defects in accordance with Section B.II.2.

7.2 A defect of title exists if the customer could not be effectively granted the rights to a maintenance service required for the contractual use. If a third party asserts an infringement of intellectual property rights against the customer due to the use of the maintenance services, the customer shall inform WINGFIELD thereof without delay and leave the defense against these claims to WINGFIELD as far as possible. In doing so, the customer shall provide WINGFIELD with all reasonable support. In particular, the customer shall provide all necessary information about the use and any processing of the software, if possible in writing, and provide the necessary documentation.

7.3 If WINGFIELD fails to remedy a material defect and/or defect of title within a reasonable period of time during the term of the contract, the customer shall be entitled to set WINGFIELD a reasonable grace period with the threat of reducing the maintenance and servicing fee after expiry of this grace period or to terminate the maintenance and servicing contract in writing without notice. Termination of the entire maintenance and servicing contract is only permissible in the event of a significant defect. Withdrawal from the maintenance and care contract is excluded.

7.4 Further statutory rights of the customer shall remain unaffected. WINGFIELD shall pay damages or reimburse futile expenses due to a defect within the limits set out in Section B.II.8.

7.5 Claims due to defective maintenance or care services shall become time-barred within one year of the performance/completion of the respective service. In all other respects, the provisions of Section B.I.7.7. shall apply accordingly.

7.6 The liability for material defects and defects of title for the maintenance services provided shall lapse if the customer or third parties make changes to the delivery items to be maintained or serviced which WINGFIELD has not expressly agreed to beforehand. Anything to the contrary shall only apply insofar as the customer proves that the defect is not attributable to the modifications and that these have not made it more difficult to identify and rectify the defect.

 

8. Liability

The provisions of Section B.I.8. shall apply accordingly to liability.

 

9. Rights of use

WINGFIELD shall grant the customer rights of use in accordance with B.I.2. to the program components (including patches, bug fixes and documentation) delivered in fulfillment of the maintenance and support contract.

 

10. Contract term, termination

10.1 The contract term is specified in the contract. Unless otherwise specified in the contract, the term shall be automatically extended by a further 12 months unless it is terminated by one of the parties at the end of the respective term with a notice period of 3 months.

10.2 The right of use granted to the customer remains unaffected by a termination of the maintenance and service contract.

10.3 The right of each party to extraordinary termination for good cause remains unaffected.

10.4 Termination must be in writing to be effective

 

 

III. Processing of personal data

Agreement on order processing between the customer as the responsible party (referred to here as the "Client") and Wingfield GmbH, Carl-Miller-Straße 6, 39112 Magdeburg represented by the managing directors as processor (referred to here as "contractor") (collectively referred to as "the parties").

 

Preamble

A service agreement dated [...] (hereinafter referred to as the "main contract") exists between the contracting parties.

In order to specify the resulting rights and obligations in accordance with the provisions of European Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation (GDPR), and the German Federal Data Protection Act (BDSG), the contracting parties conclude the following agreement, of which the attached annexes are also an integral part and the performance of which is not remunerated separately, unless expressly agreed otherwise.

 

1. Definitions, scope of application, interpretation and precedence

1.1 Where the terms defined in the GDPR (e.g. "personal data", "controller", "processor") are used in this Agreement, these terms shall have the same meaning as in the relevant regulation. For the purposes of the GDPR and this Agreement, the terms in particular mean

(i) "personal data" pursuant to Art. 4 No. 1 GDPR means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(ii) "Special categories of personal data" pursuant to Art. 9 (1) GDPR means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

(iii) "processing" pursuant to Art. 4 No. 2 GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(iv) "controller" pursuant to Art. 4 No. 7 GDPR means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(v) "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller in accordance with Art. 4 No. 8 GDPR.

(vi) "supervisory authority" pursuant to Art. 4 (21) GDPR means an independent public authority established by a Member State pursuant to Art. 51 GDPR.

1.2 This agreement shall apply to the processing of all personal data that is the subject of the service agreement or arises in the course of its implementation or becomes known to the contractor. The scope of application does not include data of the Contractor's employees insofar as they relate exclusively to the employment relationship with the Contractor.

1.3 This Agreement shall be interpreted in the light of the provisions of the GDPR. It may not be interpreted in a way that is contrary to the rights and obligations provided for in the GDPR or that restricts the fundamental rights or freedoms of the data subjects.

1.4 In the event of any conflict between this Agreement and the provisions of any related agreements existing or subsequently entered into or concluded between the parties, these clauses shall prevail.

 

2. Subject matter of the contract

2.1 The Contractor shall process the Client Data exclusively in accordance with the Service Agreement and in the manner, scope and purpose specified in Annex 1, unless the Contractor receives instructions to the contrary from the Client. The group of persons affected by the data processing is shown in Annex 1 to this contract. The duration of the processing corresponds to the term of the main contract.

2.2 The Contractor is prohibited from processing Client Data in any way that deviates from or goes beyond the stipulations in the Annexes. This also applies to the use of anonymized data.

2.3 Changes to the processing object with process changes must be jointly agreed and documented

2.4 The processing of the client data takes place exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area[IW1] .

2.5 The provisions of this contract shall apply to all activities related to the main contract in which the Contractor and its employees or persons commissioned by the Contractor come into contact with personal data originating from the Client or collected for the Client.

 

3. Authority of the client to issue instructions

3.1 The client has the sole right to issue instructions to the contractor regarding the type, scope and method of processing activities ("right to issue instructions"). An instruction is the client's order for the contractor to handle personal data in a certain way[IW2] .

3.2 The Processor shall process the Principal Data only within the scope of the assignment and exclusively on behalf of and in accordance with the instructions of the Principal within the meaning of Art. 28 GDPR, unless it is obliged to do so under Union law or the law of the Member State to which it is subject. In such a case, the processor shall inform the controller of these legal requirements prior to processing, unless the law in question prohibits this due to an important public interest.

3.3 The persons authorized to issue instructions on behalf of the Client and the persons authorized to receive instructions on behalf of the Contractor are listed in Appendix 2. If the group of persons authorized to issue instructions and receive instructions changes, in particular due to new entry, replacement or prevention of the authorized persons as well as revocation of the authorization to issue instructions by the Client or the authorization to receive instructions by the Contractor, this must be communicated to the other person immediately in writing or in text form - if necessary, naming new authorized persons. Until such notification is received, the persons named in Annex 2 shall be deemed to be authorized to issue instructions and to receive[IW3] [IW4] .

3.4 Instructions shall generally be issued by the Client in writing or in text form; verbal instructions shall be confirmed by the Contractor in writing or in text form. The Client's instructions shall initially be defined by the service agreement and by this contract and may subsequently be amended, supplemented or replaced by the Client in writing or in text form by individual instructions (individual instructions).

3.5 All instructions issued must be documented by both the Client and the Contractor. Instructions that go beyond the service agreed in the main contract shall be treated as a request for a change in service.

3.6 If the Contractor is of the opinion that an instruction of the Client violates data protection regulations, it must inform the Client of this immediately. The Contractor shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the Client. The Contractor may refuse to carry out an obviously unlawful instruction.

 

4. Protective measures of the contractor

4.1 The Contractor shall take at least the technical and organizational measures listed in Annex 3 to ensure the security of the personal data. This includes the protection of the data against a breach of security which, whether accidental or unlawful, results in the destruction, loss, alteration or unauthorized disclosure of, or access to, the data. In assessing the appropriate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks presented to data subjects.

4.2 If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or containing genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation, or data relating to criminal convictions and offenses, the Contractor shall apply specific restrictions and/or additional safeguards.

4.3 The Contractor shall grant all persons entrusted by it with the processing and performance of this contract access to the personal data that are the subject of the processing only to the extent that this is absolutely necessary for the performance, administration and monitoring of the contract. The Contractor warrants that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this contract or the employment relationship between the employee and the contractor. At the Client's request, the Contractor shall provide the Client with written or electronic evidence of the employees' obligations. [IW5] The processing of data outside the Contractor's premises (e.g. teleworking, working from home, home office, mobile working) is permitted.

4.4 The Contractor reserves the right to change the technical and organizational measures taken, whereby it shall ensure that the contractually agreed level of protection is not undercut. The Contractor shall inform the Client immediately in writing or in text form if it has reason to believe that the measures in accordance with Annex 3 are no longer sufficient and shall consult with the Client regarding further technical and organizational measures.

4.5 At the request of the Client, the Contractor shall provide the Client with suitable evidence of compliance with the technical and organizational measures specified in Annex 3.

 

5. Information and support obligations of the contractor

5.1 In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-relevant incidents or other irregularities in the processing of the Client Data by the Contractor, persons employed by the Contractor within the scope of the order or by third parties, the Contractor shall inform the Client immediately in writing or in electronic form. The same applies to audits of the Contractor by the data protection supervisory authority. If the Contractor becomes aware of a personal data breach, it shall report this to the Controller - where possible - within 72 hours. The notification of a personal data breach shall contain at least the following information:

(i) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories and number of personal data records concerned;

(ii) a description of the measures taken or proposed to be taken by the contractor to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.

5.2 In the case of § 5 para. 1, the Contractor shall support the Client in the fulfillment of its relevant clarification, remedial and information measures within the scope of what is reasonable. In particular, the Contractor shall immediately take the necessary measures to secure the data and to minimize possible adverse consequences for the data subjects, inform the Client thereof and request further instructions from the Client.

5.3 The Contractor undertakes to provide the Client with all information and evidence required to carry out an inspection in accordance with Section 7 (1) of this Agreement within a reasonable period of time at the Client's verbal, written or electronic request. Furthermore, the Contractor shall provide the Client with a comprehensive and up-to-date data protection and security concept for order processing as well as information on authorized persons at the Client's request.

 

6. Other obligations of the contractor

6.1 The contractor is obliged to keep a list of all categories of processing activities carried out on behalf of the client in accordance with Art. 30 para. 2 GDPR. The list must be made available to the client upon request.

6.2 The Contractor is obliged to support the Client in the preparation of a data protection impact assessment in accordance with Art. 35 GDPR and any prior consultation with the supervisory authority in accordance with Art. 36 GDPR. If the support services provided by the Contractor exceed 8 hours per year, the Contractor may demand reimbursement of its additional expenses from the Client.

6.3 The Contractor confirms that it has appointed a data protection officer, insofar as there is a legal obligation to do so. The Contractor shall inform the Client of the contact details of the data protection officer after conclusion of the contract. A change in the person of the company data protection officer/contact person for data protection must be communicated to the Client immediately in writing or in text form.

6.4 Should the Client Data be jeopardized at the Contractor by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client of this immediately, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Client as the "controller" within the meaning of the GDPR.

 

7. Control rights of the client

7.1 The Client shall be entitled to verify compliance with the provisions of this Agreement, in particular the implementation of and compliance with the technical and organizational measures pursuant to Section 5 (3) of this Agreement, at reasonable intervals or if there are indications of non-compliance. For this purpose, it may, for example, obtain information from the Contractor, have existing certificates from experts, certifications or internal audits presented to it or, after prior notification, have the Contractor's technical and organizational measures checked personally or by a competent third party at sufficient intervals during normal business hours, provided that the third party is not in a competitive relationship with the Contractor. [IW7] Inspections must be announced in writing or in text form with a reasonable period of notice in advance. The Contractor shall contribute to such an inspection.

7.2 The Client shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor's operational processes. The parties shall agree on the time and type of inspection in good time.

7.3 The Client shall document the results of the inspection and inform the Contractor thereof. In the event of errors or irregularities that the client discovers, in particular during the inspection of order results, it must inform the contractor immediately. If facts are discovered during the inspection that require changes to be made to the ordered procedure in order to avoid them in the future, the client shall inform the contractor of the necessary procedural changes without delay.

7.4 The parties shall make the information referred to in this provision, including the results of audits, available to the competent supervisory authority or authorities upon request.

 

8. Support of the person responsible

8.1 The Contractor shall inform the Client immediately of any request it has received from the data subject. It shall not respond to the request itself unless it has been authorized to do so by the client. [IW8]

8.2 Taking into account the nature of the processing, the Contractor shall support the Client in fulfilling its obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations pursuant to Section 11 (1) and (2), the Contractor shall follow the Client's instructions.

8.3 The Contractor shall also support the Client in complying with the following obligations, taking into account the type of data processing and the information available to it:

(i) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter "data protection impact assessment") where a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(ii) Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk, unless the client takes measures to mitigate the risk;

(iii) Obligation to ensure that the personal data are accurate and up to date by informing the Client without undue delay if the Contractor becomes aware that the personal data processed by it are inaccurate or out of date; this does not apply to the data subjects' right to pseudonymization. A review is not owed;[IW9]

(iv) Obligations pursuant to Art. 32 GDPR.

8.4 The Parties shall specify in Annex 3 the appropriate technical and organizational measures to support the Client by the Contractor in the application of this Agreement and the scope and extent of the support required.

 

9. Notification of personal data breaches

9.1 In the event of a personal data breach, the Client shall cooperate with and assist the Contractor accordingly to enable the Client to comply with its obligations under Articles 33 and 34 GDPR, taking into account the nature of the processing and the information available to the Contractor.

9.2 In the event of a personal data breach in connection with the data processed by the Client, the Contractor shall assist the Client in notifying the personal data breach to the competent supervisory authority(ies) without undue delay after the Client becomes aware of the breach, if relevant (unless the personal data breach is unlikely to result in a risk to the personal rights and freedoms of natural persons);

9.3 In the event of a personal data breach in connection with the data processed by the Client, the Contractor shall assist the Client in obtaining the following information, which must be provided in the Client's notification in accordance with Art. 33 para. 3 GDPR, whereby this information must include at least the following:

(i) the nature of the personal data, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(ii) the likely consequences of the personal data breach;

(iii) the measures taken or proposed to be taken by the contracting authority to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

9.4 If and to the extent that not all such information can be provided at the same time, the initial notification shall contain the information available at that time and further information shall be provided as soon as it becomes available, without undue delay thereafter; in complying with the obligation under Art. 34 GDPR to notify the data subject without undue delay of a personal data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

 

10. Violation of the protection of data processed by the processor

10.1 In the event of a breach of the protection of personal data in connection with the data processed by the Contractor, the Contractor shall notify the Client immediately after becoming aware of the breach. This notification must contain at least the following information:

(i) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects concerned and the approximate number of data records concerned);

(ii) contact details of a contact point where further information on the personal data breach can be obtained;

(iii) the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

10.2 If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.

10.3 The parties shall set out in Annex 3 all other information to be provided by the Contractor to assist the Client in fulfilling its obligations under Art. 33 and 34 GDPR.

 

11. Deletion and return after the end of the contract

11.1 The Contractor shall return to the Client all documents, data and data carriers provided to it after termination of the main contract or at any time at the Client's request, or delete them completely and irrevocably at the Client's request, unless there is a statutory retention period. This shall also apply to copies of the Client's data at the Contractor's premises, such as data backups. This shall not apply to documentation that serves as proof of the proper processing of the Client Data in accordance with the order. The Contractor may hand over such documentation to the Controller at the end of the contract in order to relieve the Controller. Alternatively, he may retain them beyond the end of the contract until the end of the respective retention periods. After the end of the retention period, the obligations under Section 10 (1) sentence 1 apply.

11.2 The Contractor shall confirm the deletion to the Client in writing or in text form. The Client shall have the right to check the complete and contractually compliant return or deletion of the data at the Contractor in a suitable manner; Section 8 (2) of this contract shall apply accordingly.

11.3 The Contractor shall be obliged to treat the data of which it becomes aware in connection with the main contract confidentially even after the end of the main contract.

 

12. Liability

12.1 The liability of the parties shall be governed by Art. 82 GDPR. Any liability of the Contractor towards the Client for breach of obligations under this contract or the main contract shall remain unaffected by this.

12.2 The parties shall indemnify each other against liability if a party proves that it is not responsible in any respect for the circumstance that caused the damage to a party concerned. § Section 11 para. 2 sentence 1 shall apply accordingly in the event of a fine imposed on a party, whereby the indemnification shall be made to the extent that the other party bears a share of the responsibility for the infringement sanctioned by the fine.

 

13. Term and termination

13.1 The term of this contract corresponds to the term of the main contract, unless the following provisions contain additional obligations or rights of termination.

13.2 If the Contractor fails to comply with its obligations under this Agreement, the Client may - without prejudice to the provisions of the GDPR - instruct the Contractor to suspend the processing of personal data until it complies with this Agreement or the Agreement is terminated. The Contractor shall inform the Client immediately if it is unable to comply with this Agreement for any reason whatsoever.

13.3 The Client is entitled to terminate this Agreement insofar as it concerns the processing of personal data in accordance with this Agreement if

(i) the client has suspended the processing of personal data by the contractor in accordance with paragraph 2 and compliance with this agreement has not been restored within a reasonable period of time, but in any case within one month of the suspension;

(ii) the Contractor materially or persistently breaches this Agreement or fails to comply with its obligations under the GDPR;

(iii) the Contractor fails to comply with a binding decision of a competent court or the competent supervisory authority(ies) relating to its obligations under this Agreement and/or the GDPR.

(iv) The Contractor shall be entitled to terminate this Agreement insofar as it relates to the processing of personal data under this Agreement if the Client insists on the fulfillment of its instructions after being informed by the Contractor that its instructions violate applicable legal requirements.

(v) The right to extraordinary termination for good cause remains unaffected by this. Good cause exists in particular in the event of intentional or grossly negligent violations of the provisions of the GDPR and this agreement.

(vi) In case of doubt, a termination of the main contract shall also be deemed a termination of this contract and a termination of this contract shall be deemed a termination of the main contract.

(vii) The Contractor shall return to the Client all documents, data and data carriers provided to it after termination of the main contract or at any time at the Client's request or - at the Client's request, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. This also applies to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence. Documents to be disposed of must be destroyed using a document shredder in accordance with DIN 32757-1. Data carriers to be disposed of must be destroyed in accordance with DIN 66399 [IW11].

(viii) The Client has the right to check the complete and contractually compliant return or deletion of the data at the Contractor in an appropriate manner.

(ix) The Contractor shall be obliged to treat confidentially any data it becomes aware of in connection with the main contract, even after the end of the main contract. The present agreement shall remain valid beyond the end of the main contract for as long as the Contractor has personal data at its disposal which has been forwarded to it by the Client or which it has collected for the Client.

 

14. Coupling

14.1 A third party who is not a party to this Agreement may, with the consent of the Client and the Contractor, accede to this Agreement at any time as a Controller or Processor by completing and signing this Agreement.

14.2 After completing and signing this Agreement, the acceding third party shall be treated as a party to this Agreement and shall have the rights and obligations of a controller or processor.

14.3 No rights or obligations arising from this Agreement shall apply to the acceding third party for the period prior to its accession as a party.

 

15. Final provisions

15.1 The parties agree that the Contractor's defense of the right of retention within the meaning of § 273 BGB with regard to the data to be processed and the associated data carriers is excluded.

15.2 Amendments and supplements to this agreement must be made in writing. This also applies to the waiver of this formal requirement.

15.3 In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main agreement. Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes as close as possible to the meaning and purpose of the invalid provision.

15.4 This agreement is subject to German law. The exclusive place of jurisdiction is Hamburg.

---

Appendix 1 – Description of the processing

Categories of data subjects whose personal data are processed

Registered persons who have used one of the Wingfield Boxes set up on the course.

Categories of personal data that are processed

Name and e-mail address of registered users who have used one of the Wingfield Boxes.

Type of processing

Recording of all registered persons who have used one of the Wingfield Boxes, whereby the user name and e-mail address are recorded in a list.

Purpose(s) for which the personal data are processed on behalf of the controller

Listing of the players on the course for the course operator so that he can assign pro accounts to the individual players and get an overview of who is playing on his course.

Statistical recording of the games and statistical evaluation of the overall use of the Wingfield Boxes.

Duration of processing

The data is stored until it is manually deleted by the user.

Annex 2 - Persons authorized to give and receive instructions

of the client: Administrators of the dashboard

of the contractor: Employees of Wingfield GmbH

Annex 3 - Technical and organizational measures of the Contractor

Technical and organizational measures (TOM)

in accordance with Art. 25 and 32 GDPR

Responsible person:

Wingfield GmbH

Represented by the managing directors Maik Burlage, Jaan Brunken

Carl-Miller-Strasse 6

39112 Magdeburg

 

I. Confidentiality

1. access control

Measure	Concrete implementation/ commentary
No unaccompanied visitor access	No unregulated access for third parties. Visitor access is only possible when accompanied by an employee.
Dokumentation der Vergabe von Schlüsseln oder Documentation of the allocation of keys or access cards	Only the management and selected employees have an access key.
Permanently locked doors	The main entrance to the offices is permanently locked.
Careful selection of cleaning services	Yes

 

2. access control

Measure	Concrete implementation/ commentary
Use of secure passwords (e.g. by introducing a password policy)	There is an internal password policy that stipulates that only passwords containing at least 8 letters and at least one special character may be used.
Locking computer workstations when not in use	Computer workstations are automatically locked after 2 minutes of non-use.
Regular review of access authorizations	Additions are reviewed at least quarterly.

 

3. access control

Measure	Concrete implementation/ commentary
Documentation of accesses set up exclusively for employees	Yes
Reduction of admins to the necessary number	Only some of the management and senior developers are granted admin access to the production system.
Secure storage of data carriers	Data carriers are stored in locked offices.
Blocking access after employees leave the company	Both individual and team accesses are deleted or updated when employees leave the company.

 

4. separation control

Measure	Concrete implementation/ commentary
Physically separate storage on separate systems or data carriers	Backups are stored on a separate data carrier.
Introduction of access authorizations for internal systems	Individual authorizations are granted depending on the employee's functional area.
Separation of internal WLAN and guest WLAN	Available

 

5. encryption

Measure	Concrete implementation/ commentary
Use of encrypted transmission paths for data exchange	Use of SSL certificates for data servers and hosting environments.
Use of measures for encrypted data storage	Employees' computers are password-encrypted.

II. Integrity

1. input control

Measure	Concrete implementation/ commentary
Introduction of user and role concepts for internal systems	Individual roles are assigned and access restricted depending on the employee's functional area.
Introduction of individual access for internal systems	Access to user data is granted according to the minimum principle.
Logging the entry, modification and deletion of relevant data	Accesses and operations on relevant user data are stored in logs for security reasons.
Use of personalized logins in the corporate network	Each employee has an individual login to the network.

 

2. Weitergabekontrolle

Measure	Concrete implementation/ commentary
Use of SSL-encrypted transmission paths on the Internet	Yes
Securing documents when sending them by post	Opaque envelopes are used for letters to business customers. Confidential documents are marked if necessary.

III. Availability & resilience

1. availability control

Measure	Concrete implementation/ commentary
Fire protection measures	No smoking in the entire office. Fire extinguishers are available in the office. Smoke detectors are available.
Carrying out code reviews during development	During software development, all changes are checked by a second developer and both the change and the release are documented.
Carrying out regular backups	Data is backed up automatically on a regular basis.
Regular implementation of updates	The operating systems and relevant software on the computers are checked to ensure they are up to date and any necessary updates are carried out.
Use of a firewall (software or hardware) & virus scanner.	Firewalls are used on the servers and clients.
Use of a virus scanner	Virus scanners are used on both servers and clients.
Use of RAID systems	Separate partitions for operating systems and data
Use of spam filters	Yes

 

2. recoverability

Measure	Concrete implementation/ commentary
Creation of emergency plans	A classification into different scenarios specifies measures for operating and restoring the system in emergencies.

IV. Regular review / evaluation

1. data protection management system

Measure	Concrete implementation/ commentary
Documentation of incidents relevant to data protection	Incidents are documented, analyzed and measures are formulated to prevent recurrence.
Regular hardware checks	The hardware is checked regularly and kept up to date.
Setting up deletion routines	A deletion concept is in place, which includes deletion routines for data.
Safe disposal of defective/no longer required hardware	Yes
Secure disposal of documents	Paper documents are shredded.
Introduction of behavioral guidelines on data protection for employees	Central documentation of all data protection procedures and regulations with access for employees.
Signing of a confidentiality agreement by all employees	Employees undertake to maintain confidentiality and comply with the internal data protection guidelines.

 

2. Incident response management

Measure	Concrete implementation/ commentary
Documentation of security incidents and data breaches	Incidents are documented in the long term.
Formal process and responsibilities for the follow-up of security incidents and data breaches	Incidents are documented and measures are formulated to prevent recurrence.

 

3. order control

Measure	Concrete implementation/ commentary
Conclusion of AV contracts with service providers, partners and customers	Data protection aspects are given special consideration when selecting service providers and partners. DP contracts and other necessary agreements are concluded with the service providers.

V. Product specific measures (privacy by design)

1. access to data

Measure	Concrete implementation/ commentary
Creation of user profiles	A password and a valid e-mail address are required to create the account. The e-mail address must be validated with a confirmation link after registration.
Access to user profiles	Requests made by a client to the server follow the OAuth 2.0 authorization protocol and thus ensure that only authorized users can request their data.
Recording of video data	To record video data that is saved for the Wingfield app, it is necessary to log in to the analysis system on the pitch with a Wingfield user account and the user must start recording on the touch display. Beyond this, no video data is recorded.
Access to video data	Recorded videos are only uploaded to the respective user profile in the Wingfield app and further access is controlled by the user in the app.

 

2. development

Measure	Concrete implementation/ commentary
Separation of production and test environment	Development takes place in a test environment with test data and therefore does not contain any user data from the production environment.
Formal release process including responsibilities	Only selected developers can release a release to the production system.
Use of personalized and password-protected access to database servers	Only senior developers with selected end devices are authorized to access database servers

 

3. operation of the system

Measure	Concrete implementation/ commentary
Deletion of user data and videos from the analysis system.	No user data and videos are stored long-term on the analysis system. Deletion is carried out on the basis of the deletion concept.
No disclosure of personal usage data to site operators.	There is no personal evaluation of system usage by the site operator The site operator has no access to data from the app or the system.
Protection of the analysis system against unauthorized access	The analysis system and its computing unit are protected against unauthorized access by both a bolted housing and a lock. The system is also protected against unauthorized data access by a security concept.