simple system GmbH & Co.KG

Bodenseestrasse 29
81241 Munich

Tel: 089-998-2987-00
Fax: 089-998-2987-28

Managing Directors: Michael Petri, Sebastian Wiese

VAT ID No.: DE214450309
Registered office: Munich, Munich District Court, HRA 77206

Disclaimer of liability

The content of the “simple system” website is regularly maintained and updated and is for general information. No guarantee is given for the correctness, completeness or availability of the information that can be called up as part of the service.

No responsibility is taken for external links. The respective operator is solely responsible for the content of the linked pages.


Agreement on the processing of personal data on behalf


(see customer data)
– hereinafter also referred to as the client –


simple system GmbH & Co. KG
Bodenseestrasse 29
81241 Munich
– in the following also simple system –
– Client and simple system together hereinafter also parties –

1. Subject matter and duration of the agreement

1.1 Subject matter and duration

  1. The client uses the simple system internet platform as a virtual marketplace for the procurement of goods (hereinafter referred to as “internet platform”). To use the platform, it is necessary that an individual, personalized access is created for each employee of the client. To do this, you need to enter your name and contact details. As the provider of the platform, simple system has the theoretical possibility of accessing this data.
  2. The term and termination of this agreement are based on the agreement between the parties on the use of the Internet platform. Termination of the user agreement automatically results in termination of this contract. An isolated termination of this contract is excluded.

2. Specification of the subject of the agreement, responsibility

2.1 Nature and purpose of processing

  1. The client uses the internet platform by accessing the simple system servers via the internet. For this purpose, it is necessary for the client to transmit the data named in this contract to the simple system server, to save it there, to process it and to retrieve it when the client is using the software.
  2. simple system will use the client’s data exclusively for the provision, administration and maintenance of the internet platform. When it comes to the maintenance and care of the systems, simple system has the option of accessing the client’s data and, if necessary, of making copies of it for troubleshooting and data backup.
  3. The data to be processed, which the client would like to save on the system, are the following types of personal data and categories of data subjects:
    1. Employees of the client: first and last name, contact details
    2. Contact person for the client’s suppliers: first and last name, contact details
  4. The collection, processing and use of client data generally takes place in the territory of the Federal Republic of Germany, in another member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Irrespective of this, simple system is permitted to process client data outside the EEA in compliance with the provisions of this contract. If the data is processed by simple system or its subcontractors in third countries outside the EU, simple system undertakes to comply with the requirements of Chapter V of the GDPR (Articles 44 to 50 GDPR) and to ensure an adequate level of data protection for the data recipient.

2.2 Accountability

  1. Within the framework of this agreement, the client is responsible for compliance with the statutory provisions, in particular for the legality of data processing.

3. Authority of the client to issue instructions

  1. The data processing described in this agreement takes place exclusively within the framework of the agreements made and according to the client’s documented instructions. This does not apply to circumstances in which simple system is required to process data for compelling legal reasons. In this case, simple system will inform the client of these legal requirements prior to processing, unless the relevant law prohibits such communication due to an important public interest.
  2. Instructions from the client should always be in writing at least. If necessary, the client can also issue instructions orally. Oral instructions, however, require immediate confirmation in text form by the client.
  3. simple system has to inform the client if it is of the opinion that an instruction from the client violates applicable data protection regulations. simple system is entitled to suspend the execution of an instruction until the instruction is confirmed or changed in writing by the person authorized to give instructions to the client.
  4. If an instruction from the client violates regulations for the protection of personal data and if this instruction causes damage to simple system, the client releases simple system from all claims by third parties.

4. Obligations of the simple system

4.1 Technical and organizational measures

  1. simple system will design the internal organization in his area of responsibility in such a way that it meets the special requirements of data protection.
  2. simple system ensures that suitable technical and organizational measures are taken during processing and that they are maintained for the duration of this agreement. The measures taken by simple system are described in Appendix 1 to this agreement.
  3. The technical and organizational measures are subject to technical progress and further development. In this respect, simple system is permitted to implement alternative, adequate technical and organizational measures, provided that the security level of the technical and organizational measures specified in Appendix 1 is not fallen below.

4.2 Further obligations of the processor

  1. simple system is obliged to treat as confidential all knowledge of trade secrets and data security measures of the client acquired within the framework of this agreement.
  2. simple system ensures that the persons authorized to process have been bound to confidentiality.
  3. The company MKM Datenschutz GmbH, Äußere Sulzbacher Str. 124 a, 90491 Nuremberg, has been appointed as the external data protection officer at simple system. The contact person is Mr Fabian Dechent,; 0911 / 669577-55.
  4. simple system will inform the client immediately in text form in the event of violations of regulations for the protection of personal data and of violations of the stipulations made in this agreement. simple system will, in consultation with the client, take the necessary measures to secure the data and to reduce possible negative consequences for those affected.
  5. If the client is obliged to provide information to a data subject due to a legal obligation, simple system will support the client by providing the necessary information.
  6. simple system informs the client about controls and measures as well as investigations by a supervisory authority as far as the client’s data is concerned.
  7. simple system informs the client immediately if he discovers errors or irregularities that have occurred during maintenance or that make access by unauthorized persons possible.
  8. Should the client’s data be endangered by seizure or confiscation, by insolvency or settlement proceedings or by other events or measures by third parties, simple system must inform the client about this in text form. simple system will immediately inform all those responsible in this context that the sovereignty and ownership of the data lie exclusively with the client as the person responsible for processing.
  9. simple system keeps a directory for processing that meets the requirements of Art. 30 Para. 2, para. 3 GDPR.
  10. simple system supports the client within the scope of what is reasonable and only insofar as this does not disrupt the operational process in fulfilling the information obligations towards the respective competent supervisory authority or those affected by a violation of the protection of personal data according to Art. 33 and 34 GDPR.
  11. simple system supports the client within the framework of what is reasonable and only insofar as this does not disrupt the operations of simple system in the creation of a data protection impact assessment within the meaning of Art. 35 GDPR with all information available to him, provided this has to be done due to legal requirements. If it is necessary to consult the competent supervisory authority beforehand in accordance with Art. 36 GDPR, simple system also supports the client here.
  12. If simple system arises through the support service according to para. 10 or para. 11 additional expenditure, the client will remunerate this appropriately.

4.3 Correction, restriction and deletion

  1. simple system only has to support the client in accordance with instructions to the extent that is appropriate and necessary for the client in the correction, deletion or restriction of personal data, as well as in safeguarding the rights of the data subjects.
  2. If a data subject contacts simple system directly in this regard, simple system will promptly forward this request to the client.

5. Control rights of the client

  1. The client has the right to carry out the legally stipulated order control at his own expense in consultation with the simple system or to have it carried out by inspectors to be named in individual cases.
  2. During normal business hours, the client is entitled to enter simple system’s business premises and to carry out on-site controls in which the client’s data is processed. The on-site visits are announced by the client in good time, usually at least 2 calendar weeks in advance.
  3. simple system is obliged to support the client with the controls.
  4. In particular, simple system undertakes to grant the client access to the data processing equipment, files and other documents in order to enable the control and verification of the relevant data processing equipment, files and other documentation that are related to the collection or use of the client’s data.
  5. The controls are to be carried out in such a way that no simple system operations are disturbed and that the confidentiality of trade and business secrets is strictly observed.
  6. If the client exercises his control rights through a third party, the client has to oblige the third party in writing in the same way as the client is obliged to simple system. In addition, the client must oblige the third party to maintain confidentiality and secrecy, unless the third party is subject to a professional obligation of confidentiality. The client must submit the commitment agreements with the third party to simple system before the inspection is carried out. The client may not commission a competitor of simple system with the control.

6. Utilization of further processors (subcontracting relationships)

  1. simple system is entitled to commission other subcontractors. At the time of the conclusion of the contract, the subcontractors listed in Appendix 2 have been commissioned by simple system. simple system will inform the client in advance of any intended involvement or replacement of an already commissioned subcontractor.
  2. If subcontractors are engaged by simple system, the contractual agreements with the subcontractors must be designed in such a way that they meet the requirements for confidentiality, data protection and data security between the contractual partners of this contract. The client is to be granted control and inspection rights in accordance with this agreement in these contracts with the subcontractors in such a way that they also entitle the client directly to the subcontractors. simple system is obliged to provide the client with information on the essential content of the contract and the implementation of the data protection obligations by the subcontractors upon request.

7. Notification of Violations

  1. simple system informs the client if they or the persons employed by them have violated the regulations for the protection of personal data or the stipulations made in this agreement or if there are indications that a third party may have illegally gained knowledge of the client’s data , or if the integrity or confidentiality of the client’s data has been jeopardized in any other way.
  2. The information about the breach (data security incident) includes information about the time and type of the incident (including information about which client’s data is affected and how), the IT system concerned, the persons concerned, the time of discovery and that of simple system to contain measures taken thereupon.
  3. Simple system must provide initial information immediately after becoming aware of the data security incident. simple system must, in consultation with the client, take appropriate measures to secure the data and to reduce possible negative consequences for those affected.
  4. simple system will support the client in reporting violations of the protection of personal data in accordance with Art. 33 GDPR. The client will adequately remunerate simple system for the additional work involved.

8. Deletion and return of personal data

  1. Copies or duplicates of the data will only be made in the context of the tasks described in this agreement. After completion of the contractually agreed work, or earlier after a written request by the client – at the latest with the termination of the project contract – simple system has to hand over all documents, created processing and usage results as well as databases that are in connection with this agreement to the client or after prior written notice Destroy the client’s consent in accordance with data protection regulations. The same applies to test and scrap material.
  2. Documentation that serves as proof of order-related and proper data processing must be stored by simple system beyond the end of the contract in accordance with the respective retention periods. simple system can hand this over to the client for relief at the end of the contract.

9. Liability

  1. If simple system is damaged (including a fine) due to the violation of provisions on the handling of personal data that did not arise in its own area of responsibility and / or duties, the client is liable to simple system without limitation. This does not apply if the client is not responsible for the infringement. An exculpation of the client for third parties used elsewhere is only possible if the claims against this third party are assigned to the contractor.
  2. simple system is only liable for damage that is based on processing carried out by it if it does not comply with an obligation under the GDPR specifically for processors, or does not comply in time, or acts contrary to a lawful instruction from the client.
  3. The parties have to indemnify each other from all claims based on a violation of a statutory provision for the protection of personal data, a breach of obligations under this agreement or of provisions of a service contract relevant to data protection law by the other, his vicarious agents and any subcontractors or suppliers. The obligation to indemnify includes, in particular, damages asserted by third parties, including costs and expenses incurred by the other in connection with the breach of duty and the defense against third party claims.
  4. Otherwise, liability is based on the EU General Data Protection Regulation (GDPR).

10. Other regulations

  1. Changes and / or additions to this agreement require a written agreement, which can also be concluded in an electronic format. This also applies to changes to this clause.
  2. The partial or complete assignment or transfer of rights and obligations from this agreement by the client is not permitted, unless the contractor has previously consented in writing; Section 354a of the German Commercial Code (HGB) remains unaffected.
  3. The law of the Federal Republic of Germany applies exclusively to the contractual relationship and its implementation. The application of the CISG or parts of it is excluded. The place of jurisdiction for all disputes in connection with this agreement is Munich.