General Terms & Conditions: consentmanager.net Demo & Basic Package

1. Preamble

1.1. The Jaohawi AB, hereafter named „Jaohawi", offers a platform for gathering consent from website visitors via the Internet: www.consentmanager.net, www.consentmanager.de and other URLs (below: CMP).
1.2. The contractual partners utilize this service as an operator of a Web site or app (hereinafter referred to as: “client”). The contractual partner has full legal competence or is represented by a legal representative who has full legal competence.
1.3. This General Terms and Conditions regulate the collaboration between Jaohaw and the contractual partner.
1.4. In order to use the CMP, the contractual partner applys for an account on the CMP website. Applying for an account constitutes a contractual relationship between Jaohawi and the registering party. Jaohawi is free to reject any account without giving reasons.
1.5 In addition to this contract, the data processing contract contained in Annex 1 also applies.

2. General

2.1. The General Terms and Conditions apply that are currently published at www.consentmanager.net. Jaohawi reserves the right to change the General Terms and Conditions at any time.
2.2. The contractual partner will be notified in writing, by e-mail or in an other suitable manner about any changes in the General Terms and Conditions. They shall be considered as accepted if the contractual partner does not object within a period of 2 weeks upon the notification. With the notification, Jaohawi shall point out expressly to the contractual partner this consequence of his conduct. The right of the contractual partner to withdraw from the contract due to the change in the General Terms and Conditions remains unaffected therefrom.

3. Package details & Service

3.1 The service is free of charge up to a monthly amount of 10,000 pageviews.
3.2 If the amount of pageviews within a certain calendar month exceeds the amount of 10,000 pageviews, Jaohawi will stop the service for this client for this month. This means, the CMP will no longer be delivered to the client's website, reports will not be generated and automatic crawls will not be performed.
3.3 The package features are displayed on the www.consentmanager.net website. Jaohawi is free to change the package details and features at any time without notice.
3.4 Jaohawi remains the right to extend, modify or cancel its free services at any time without giving any reason.

4. Intellectual property, Liability, Data privacy

4.1 The ownership and copyright of the software supplied by Jaohawi, the printed material and all copies of the software are the responsibility of the software manufacturer. The software is protected by copyright and international treaty provisions. The client shall therefore treat the software as any other copyrighted material.
4.2 The client hereby expressly agrees that Jaohawi may designate the client in Jaohawi's advertising or to third parties as a reference.
4.3 The client acknowledges that Jaohawi only provides a certain service (e.g. collecting consent from visitors, protocol consent information for later proof in case of vindication, providing consent information to third parties using a standard API) and does not guarantee non-liability to third parties by using the service. Furthermore Jaohawi or the usage of this service cannot guarantee that, e.g. by using the service on the client’s website, the client is fully compliant to general data protection regulation(s) or other data regulations in his country or region. The service provided by Jaohawi may only be seen as a piece of a juristically solution.
4.4 The client is not allowed to cache any of the files/URLs provided by Jaohawi’s services if not declared otherwise (e.g. by using HTTP headers).

5. Final Provisions

5.1 If any provision (or part of a provision) of this agreement is invalid, illegal or unenforceable, the rest of the agreement will remain in effect.
5.2 Place of performance and jurisdiction for all obligations and disputes arising under the contract, termination and settlement is, provided that there are no compelling legal reasons, for both parties Stockholm, Sweden.

Annex 1: Data processing contract

between Jaohawi as processor (hereinafter referred to as “Jaohawi”) and the client as the data controller/responsible.

Preamble

The client would like to commission Jaohawi with the services specified in § 3. Part of the contract execution is the processing of personal data. In particular, Art. 28 GDPR places certain demands on such an order processing. In order to comply with these requirements, the parties conclude the following agreement, the fulfillment of which is not separately remunerated, unless expressly agreed.

1. Definitions

1. In accordance with Art. 4 (7) GDPR, the person responsible or data controller is the one who, alone or together with other responsible persons, decides on the purposes and means of processing personal data.
2. According to Art. 4 (8) GDPR, the processor is a natural or legal person, public authority, institution or other body that processes personal data on behalf of the person responsible.
3. According to Art. 4 Para. 1 GDPR, personal data are all information that relate to an identified or identifiable natural person (hereinafter referred to as “data subject”); a natural person is considered to be identifiable when he/she can be identified, directly or indirectly, and in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more specific features, that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
4. Particularly vulnerable personal data are personal data in accordance with Art. 9 GDPR, which show the racial and ethnic origin, political opinions, religious or ideological convictions or trade union affiliation of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offences or related safeguards as well as genetic data according to Art. 4 Para. 13 GDPR, biometric data according to Art. 4 Para. 14 GDPR, health data according to Art. 4 Para. 15 GDPR as well as data on the sex life or the sexual orientation of a natural person.
5. Processing is, in accordance with Art. 4 (2) of the GDPR, any process or series of operations performed with or without the aid of automated procedures in relation to personal data such as the elicitation, collection, organization, order, storage, adaptation or modification, reading out, querying, using, disclosing through transmission, dissemination or any other form of provision, reconciliation or association, restriction, deletion or obliteration.
6. According to Art. 4 (21) GDPR, the supervisory authority is an independent state agency established by a Member State pursuant to Art. 51 GDPR.

2. Specification of the competent data protection supervisory authority

1. The responsible supervisory authority for the client is the country representative for data protection or a similar body at the client's headquarters.
2. Responsible supervisory authority for Jaohawi is the Swedish Data Protection Authority.
3. The client and Jaohawi and, if necessary, their representatives work, on request, together with the supervisory authority to fulfill their duties.

3. Contract Object

1. Jaohawi will provide services to the client on the basis of the contract between the parties (“Main Contract”). In doing so, Jaohawi gains access to personal data and processes it exclusively on behalf of and according to the instructions of the client. The scope and purpose of the data processing by Jaohawi result from the Main Contract (and the associated service description). The client is responsible for the assessment of the admissibility of the data processing.
2. The parties conclude this agreement to clarify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement take precedence over the provisions of the Main Contract.
3. The terms of this Agreement shall apply to all activities related to the Main Contract in which Jaohawi and its employees, or Jaohawi agents, that come into contact with personal data originating from or collected for the client.
4. The term of this contract is based on the duration of the Main Contract, provided that the following provisions do not result in obligations or termination rights beyond it.

4. Right of instruction

1. Jaohawi may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the client; This applies in particular to the transfer of personal data to a third country or to an international organization. If Jaohawi is obliged to further processing by the law of the European Union, or of the Member States to which it is subject, he shall inform the client of these legal requirements prior to processing.
2. The instructions of the client are initially determined by this contract and can then be changed, supplemented or replaced by the client in written form or in text form by individual instructions (individual instruction). The client is entitled to issue corresponding instructions at any time. This includes instructions regarding the rectification, deletion and blocking of data. The authorized persons are listed in Annex 1.4. In the case of a change or a longer-term absence of named persons, the contracting party must be notified immediately in text form of the successor or representative.
3. All instructions given must be documented by both the client and Jaohawi. Instructions that go beyond the performance agreed in the Main Contract are treated as an application for a change in performance. Jaohawi must inform and get confirmation from the client if they regard this as a change in performance and of any pricing or other implications of this before implementing the change.
4. If Jaohawi believes that a client's instruction violates data protection regulations, Jaohawi must inform the client immediately. Jaohawi is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the client. Jaohawi may refuse to carry out an evidently illegal instruction.

5. Type of processed data, data subjects concerned

1. As part of the execution of the Main Contract, Jaohawi will have access to the personal information specified in Annex 1.1. These data include the specific categories of personal data listed in Appendix 1.1 and identified as such.
2. The group of data processors is given in Appendix 1.2.

6. Protective measures by Jaohawi

1. Jaohawi is obliged to comply with the statutory provisions on data protection and not to pass on the information obtained from the area of the client to third parties or to expose them to their access. Documents and data are to be secured against the knowledge of unauthorized persons by taking into account the generally acknowledged state of the art.
2. In his area of responsibility, Jaohawi will design the in-house organization in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organizational measures to adequately protect the client's data in accordance with Art. 32 GDPR, in particular at least the measures of access control listed in Appendix 1.3.
3. Jaohawi reserves the right to change the security measures taken, with Jaohawi ensuring that the contractually agreed level of protection is not lowered.
4. At Jaohawi the company contact person for data protection is: Jan Winkler (info@consentmanager.net).
5. The persons employed in the data processing by Jaohawi are prohibited from collecting, processing or using personal data without authorization. Jaohawi will oblige all persons entrusted by Jaohawi with the processing and fulfillment of this contract (hereinafter referred to as employees) (obligation of confidentiality, Art. 28 Para. 3 lit. b GDPR) and ensure with due diligence the compliance with this obligation. These obligations must be such that they will persist even after the termination of this contract or the employment relationship between the employee and Jaohawi. Jaohawi shall be required to prove the obligations on request by the client in an appropriate manner.

7. Information requirements of Jaohawi

1. In the event of any disruption, suspicion of breaches of privacy or breaches of contractual obligations by Jaohawi, suspected security incidents or other irregularities in the processing of personal data by Jaohawi, persons employed by it or by third parties, Jaohawi shall promptly notify the client in writing. The same applies to examinations of Jaohawi by the data protection supervisory authority. The personal data breach message contains at least the following information:
a) a description of the nature of the breach of the protection of personal data, indicating, where possible, the categories and the number of data subjects, the categories concerned and the number of personal data records involved;
b) a description of the remedial action taken or proposed by Jaohawi and, where appropriate, measures to mitigate its potential adverse effects.
2. Jaohawi immediately takes the necessary measures to safeguard the data and to mitigate the potential adverse effects of those affected, informs the client about this and requests further instructions.
3. In addition, Jaohawi is obliged to provide the client with information at any time, as far as its data is affected by an infringement according to paragraph 1.
4. If third-party measures are jeopardized, Jaohawi must inform the client without delay, unless Jaohawi is prohibited by court or an administrative order. In connection with this, Jaohawi will immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the client as “responsible person” within the meaning of the GDPR.
5. Jaohawi must notify the client immediately of significant changes to the security measures.
6. A change in the person of the company data protection officer / contact person for the data protection has to be disclosed to the client immediately.
7. Jaohawi and, if applicable, its representative keep a record of all categories of processing activities carried out on behalf of the client, which contain all the information required by Article 30 (2) GDPR. On request, the directory must be made available to the client.
8. Jaohawi must cooperate to a reasonable extent in the preparation of the procedural directory by the client. It has to provide the client with the necessary information in a suitable manner.

8. Control rights of the client

1. The client convinces himself before starting the data processing and then regularly (annually) from the technical and organizational measures of Jaohawi. For this purpose, he/she may, for example obtain information from Jaohawi, request the presentation of existing certificates from experts, certifications or internal audits, or check the technical and organizational measures of Jaohawi personally or have them checked by a competent third party after timely coordination during normal business hours, or this third party is not in competition with Jaohawi. The client will only perform controls to the extent necessary and will not disproportionately disrupt the operational activities of Jaohawi.
2. Jaohawi undertakes to provide the client with all information and evidence necessary to carry out a review of Jaohawi's technical and organizational measures, within a reasonable period of time, at his/her written or verbal request.
3. The client documents the inspection result and informs Jaohawi about it. In the event of errors or irregularities which the client determines, in particular when checking the results of an order, he/she must inform Jaohawi immediately. If, during the inspection, circumstances are identified whose future avoidance requires changes to the order of procedure, the client shall notify Jaohawi of the necessary procedural changes without delay.
4. Upon request, Jaohawi provides the client with a comprehensive and up-to-date data protection and security concept for order processing and authorized persons.
5. On request, Jaohawi will prove to the client the obligation of the employees according to § 6 paragraph 4.

9. Use of subcontractors

1. The contractually agreed services or the partial services described below may be carried out by subcontractors listed in Appendix 1.5. Jaohawi is authorized to create further subcontracting relationships with sub-contractors (“subcontractor relationship”) as part of its contractual obligations. Jaohawi is required to carefully select subcontractors for their suitability and reliability. Jaohawi will inform the client immediately if new subcontractors are used. The client therefore has a right to reject new subcontractors within one week upon notification. Jaohawi has the obligation to engage subcontractors in accordance with the terms of this Agreement, and to ensure that the client is able to exercise his/her rights under this Agreement (in particular, his/her audit and control rights) directly with subcontractors. If subcontractors from a third country are to be included, Jaohawi must ensure that the respective subcontractor has an adequate level of data protection (e. g. by concluding an agreement based on EU standard data protection clauses). Upon request, Jaohawi will prove to the client the conclusion of the afore-mentioned agreements with his subcontractors.
2. A subcontracting relationship within the meaning of these provisions does not exist if Jaohawi entrusts third parties with services that are to be regarded as mere fringe benefits. These include, for example, postal, transport and shipping services, cleaning services, telecommunication services without specific reference to services that Jaohawi provides for the client and security services. Maintenance and testing services represent subcontractor agreements subject to approval, if these are provided for IT systems that are also used in connection with the provision of services for the client.

10. Inquiries and rights of those affected

1. Jaohawi supports the client as far as possible with suitable technical and organizational measures in the fulfillment of its obligations under Art. 12-22 as well as 32 and 36 GDPR.
2. If an affected person asserts rights, such as information, rectification or deletion of his/her data, directly against Jaohawi, Jaohawi does not react independently, but refers the person concerned without delay to the client and waits for his instructions.

11. Liability

1. Jaohawi acknowledges that if a Data Subject has suffered damage as a result of any breach of Jaohawi's or any of its sub-processors' obligations referred to in this DPA, Jaohawi may be responsible to pay any fines or compensation that might arise as a result of the breach.
2. If the Client has paid such compensation or fine, as written above, due to a breach by Jaohawi of its obligations referred to in this DPA, the Client is entitled to issue a claim against the Jaohawi in turn.
3. The Client acknowledges that if a Data Subject has suffered damage as a result of any breach of the Client's obligations referred to in this DPA, the Client may be responsible to pay any fines or compensation that might arise as a result of the breach.
4. If Jaohawi has paid such compensation or fine, as written above, due to a breach by the Client of its obligations referred to in this DPA, Jaohawi is entitled to issue a claim against the Client in turn.
5. In each case, the parties release themselves from liability, if a party proves that they are in no way responsible for the circumstances in which the damage occurred to a Data subject.

12. Extraordinary right of termination

1. The client may terminate the Main Contract without notice in whole or in part, if Jaohawi does not fulfill its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or cannot or will not carry out an instruction of the client. In the case of simple – i.e. neither intentional nor grossly negligent – infringements the client sets Jaohawi a reasonable period within which Jaohawi can stop the infringement.

13. Termination of the Main Contract

1. Jaohawi will give all documents, data and data carriers, provided to it by the client, back to the client after the completion of the Main Contract or at any time at the clients request or delete them at the clients request ¡V unless there is an obligation under EU law. This also applies to any backups at Jaohawi. Jaohawi must have the documented proof of the orderly deletion of still existing data. Documents to be disposed of must be destroyed using a document shredder in accordance with DIN 32757-1. Media to be disposed of must be destroyed in accordance with DIN 66399.
2. The client has the right to control the complete and contractual return or deletion of the data at Jaohawi in an appropriate manner.
3. Jaohawi is required to treat the data disclosed to Jaohawi in connection with the Main Contract as confidential even after the termination of the Main Contract. The present contract will continue to apply beyond the end of the Main Contract as long as Jaohawi has personal information submitted by or collected by Jaohawi.

14. Final provisions

1. Changes and additions to this agreement must be made in writing. Changes and additions to this agreement must be in writing. The writing requirement also applies to the waiver of the written form.
2. If individual provisions of this agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
3. This agreement is subject to Swedish law. Exclusive jurisdiction is Stockholm.

Appendix 1.1 - Description of data / data categories

Client data: First name, surname, e-mail address, postal address, telephone number, fax number, Skype data, bank details, PayPal data, tax number, order data, IP address, time of visit, duration of visit
Visitor data: IP address, time of visit, consent information, browser string, referrer, country

Appendix 1.2 - Description of the affected / affected groups

Client, Website Visitor (third party)

Appendix 1.3 - Technical and organizational measures of Jaohawi

Among other things, Jaohawi will implement the following technical and organizational measures:
• Documented list of keys to Jaohawi’s offices
• Locking of the office rooms after work
• Surveillance of datacenters via alarm, video, movement sensors
• Access control to datacenters via id reader, magnet card or chip card
• Confidentiality obligation of employees
• Use of password protection for client logins, servers, admin panel
• Use of “hard” passwords (Special Chars, Numbers, Upper-/Lower-Case) for servers
• Use of protection software (anti-virus, anti-malware, anti-spam)
• Automated updates for protection software
• Use of firewalls to protect the data
• Use of DMZ principles
• Encryption of data
• Internal separation of functions (testing vs. live environment)
• Use of https/ssl encryption
• Use of protocols
• Backup and recovery
• “Privacy by default”

Appendix 1.4 - Authorized Persons

The authorized persons of the client are to be named by the client when the contract is signed. The recipients of the directive at Jaohawi are the managing directors of Jaohawi AB and the contact person assigned to the client.

Appendix 1.5 – Subcontractors

HostEurope GmbH, Hansestr. 111, 51149 Cologne, Germany
Plusserver GmbH, Hohenzollernring 72, 50672 Cologne, Germany
DataCamp Ltd, 207 Regent Street, London, UK,
Strato AG, Pascalstr. 10, 10587 Berlin, Germany
Domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany