Bots and People product GmbH
Data Processing Terms

July 2024

1. General | Scope

  1. Customer has commissioned Bots & People for the services specified in the Services Contract. Part of the execution of the Services Contract is the processing of personal data. In particular, Art. 28 GDPR imposes specific requirements on such commissioned processing. To comply with these requirements, the Parties agree to that these Data Processing Terms (“Data Processing Terms”) shall apply to such processing.
  2. These Data Processing Terms shall supplement the Bots & People Terms as per Clause 13.2 of the Terms.

2. Definitions

  1. Pursuant to Art. 4 (7) GDPR, the controller is the entity that alone or jointly with other controllers determines the purposes and means of the processing of personal data.
  2. Pursuant to Art. 4 (8) GDPR, a data processor is a natural or legal person, authority, institution, or other body that processes personal data on behalf of a controller.
  3. Pursuant to Art. 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  4. Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of Data Subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offenses or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR, and data on the sex life or sexual orientation of a natural person.
  5. According to Article 4 (2) GDPR, the processing is any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  6. Pursuant to Article 4 (21) GDPR, the supervisory authority is an independent state body established by a Member State pursuant to Article 51 GDPR.

3. General Provisions

  1. Bots & People provide the Services specified in the Services Contract for Customer. In doing so, Bots & People obtains access to personal data, which Bots & People processes as processor for Customer who acts as controller exclusively on behalf of and in accordance with Customer’s instructions. The scope and purpose of the data processing by Bots & People are set out in the Services Contract and any associated service descriptions. Customer shall be responsible for assessing the admissibility of the data processing.
  2. The purpose of these Data Processing Terms is to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of these Data Processing Terms shall take precedence over the provisions of the Services Contract.
  3. The provisions of these Data Processing Terms shall apply to all activities related to the Services Contract in which Bots & People and its employees or persons authorized by Bots & People come into contact with personal data originating from Customer or collected for Customer.

4. Right of Instruction

  1. Bots & People may only collect, process or use data within the scope of the Services Contract and in accordance with the instructions of Customer; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If Bots & People is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify Customer of these legal requirements prior to the processing.
  2. The instructions of Customer shall initially be determined by these Data Processing Terms. Thereafter, they may be amended, supplemented, or replaced by Customer in writing or text form by individual instructions (individual instructions). Customer shall be entitled to issue such instructions at any time. This includes instructions with regard to the correction, deletion, and blocking of data. 
  3. All instructions submitted by the Customer with respect to the processing of data subject to this agreement and the Services Contract must be submitted to Bots & People via email to operations@botsandpeople.com
  4. All instructions issued shall be documented by Customer. Instructions that go beyond the Service agreed in the Services Contract shall be treated as a request for a change in Service.
  5. If Bots & People is of the opinion that an instruction of Customer violates data protection provisions, it shall notify Customer thereof without undue delay. Bots & People shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by Customer. Bots & People may refuse to carry out an obviously unlawful instruction.

5. Types of Data Processed, Group of Data Subjects

  1. Within the scope of the implementation of the Services Contract, Bots & People shall have access to the personal data specified in more detail in Attachment 1
  2. The category of Data Subjects affected by the data processing is listed in Attachment 1.

6. Protective Measures of Bots & People

  1. Bots & People shall be obliged to observe the statutory provisions on data protection and not to disclose information obtained from Customer’s domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
  2. Bots & People shall organize the internal organization within its field of responsibility in such a way that it meets the special requirements of data protection. It shall have taken the technical and organizational measures specified in Attachment 2 to adequately protect Customer’s data pursuant to Art. 32 GDPR, which Customer acknowledges as adequate. Bots & People reserves the right to change the security measures taken while ensuring that the contractually agreed level of protection is not undercut.
  3. The persons employed in the data processing by Bots & People are prohibited from collecting, processing or using personal data without authorization. Bots & People shall oblige all persons entrusted by it with the processing and performance of the Services Contract (“Employees”) accordingly (obligation of confidentiality, Art. 28 (3) lit. b GDPR) and shall ensure compliance with these Data Processing Terms with due care.

Bots & People has appointed a data protection officer. Bots & People’s data protection officer is heyData GmbH, Kantstraße 99, 10627 Berlin, Germany, datenschutz@heydata.eu, www.heydata.eu.

7. Information Obligations of Bots & People

  1. In the event of disruptions, suspected data protection violations or breaches of contractual obligations of Bots & People, suspected security-related incidents or other irregularities in the processing of personal data by Bots & People, by persons employed by it within the scope of the Services Contract or by third parties, Bots & People shall inform Customer without undue delay. The same shall apply to audits of Bots & People by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:
    1. a description of the nature of the personal data breach, including, to the extent possible, the categories and the number of Data Subjects affected, the categories affected and the number of personal data records affected;
    2. a description of the measures taken or proposed by Bots & People to address the breach and, where applicable, measures to mitigate its possible adverse effects;
    3. a description of the likely consequences of the personal data breach.
  1. Bots & People shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects, inform Customer thereof and request further instructions.
  2. In addition, Bots & People shall be obliged to provide Customer with information at any time insofar as Customer’s data are affected by a breach pursuant to Clause 7.1 of this Schedule.
  3. Bots & People shall inform Customer of any significant changes to the security measures pursuant to Clause 6.2 of this Schedule.

8. Control Rights of Customer

  1. Customer may satisfy themselves of the technical and organizational measures of Bots & People prior to the commencement of data processing and thereafter regularly on a yearly basis. For this purpose, Customer may, for example, obtain information from Bots & People, obtain existing certificates from experts, certifications or internal audits or, after timely coordination, personally inspect the technical and organizational measures of Bots & People during normal business hours or have them inspected by a competent third party, provided that the third party is not in a competitive relationship with Bots & People. Customer shall carry out checks only to the extent necessary and shall not disproportionately disrupt the operations of Bots & People in the process.
  2. Customer shall carry any and all expenses related to data processing inspections and audits initiated by the Customer.
  3. Bots & People undertakes to provide Customer, upon the latter’s verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the technical and organizational measures of Bots & People.
  4. Customer shall document the results of the inspection and notify Bots & People thereof. In the event of errors or irregularities which Customer discovers, in particular during the inspection of the results of the inspection, Customer shall inform Bots & People without undue delay. If facts are found during the control, the future avoidance of which requires changes to the ordered procedure, Customer shall notify Bots & People of the necessary procedural changes without delay.

9. Use of Sub-processors

  1. The contractually agreed services shall be performed with the involvement of the service providers named in Attachment 3 (the “Sub-processors”). Customer grants Bots & People its general authorization within the meaning of Article 28 (2) s. 1 GDPR to engage additional Sub-processors within the scope of its contractual obligations or to replace Sub-processors already engaged.
  2. Bots & People shall inform Customer in advance by e-mail newsletter of any intended change regarding the involvement or replacement of a Sub-processor. The email newsletter will be received by Customer after sending an email with the subject “Subscribe” to operations@botsandpeople.com. 
  3. The objection to the intended involvement or replacement of a Sub-processor must be raised within 2 weeks of the information being sent in the email newsletter. If no objection is raised, the involvement or replacement shall be deemed approved. If there is a good cause under data protection law and a mutually agreeable solution cannot be found between Customer and Bots & People, Customer shall have a special right of termination at the end of the month following the objection.
  4. When engaging Sub-processors, Bots & People shall oblige them in accordance with the provisions of these Data Processing Terms. 
  5. A Sub-processor relationship within the meaning of these provisions does not exist if Bots & People commissions third parties with services that are regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by Bots & People to Customer and guarding services. Maintenance and testing services constitute Sub-processor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for Customer.

10. Requests and Rights of Data Subjects

  1. Bots & People shall support Customer with suitable technical and organizational measures in fulfilling Customer’s obligations pursuant to Articles 12 to 22 and 32 to 36 GDPR.
  2. If a Data Subject asserts rights, such as the right of access, correction or deletion with regard to his or her personal data, directly against Bots & People, the latter shall not react independently but shall refer the Data Subject to Customer and await Customer’s instructions.

11. Termination of the Services Contract

  1. After termination of the Services Contract, Bots & People shall return to Customer all documents, data and data carriers provided to it or - at the request of Customer, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. This shall also apply to any data backups at Bots & People. Bots & People shall on request provide documented proof of the proper deletion of any data.
  2. Customer shall have the right to control the complete and contractual return or deletion of the data at Bots & People in an appropriate manner.
  3. Bots & People shall be obligated to keep confidential the data of which it has become aware in connection with the Services Contract even beyond the end of the Services Contract. These Data Processing Terms shall remain valid beyond the end of the Services Contract as long as Bots & People has personal data at its disposal which have been forwarded to it by Customer or which it has collected for Customer.

Attachment 1: DESCRIPTION OF TYPES AND CATEGORIES OF DATA AND CATEGORIES OF DATA SUBJECTS

Types of Personal Data:

  • User Data: Name, Business Email Address, Username, Password, Alphanumeric identifier, Access level and system role Profile picture (if provided, voluntary)
  • Content: In-meeting content: video, audio, images, chat, text, recordings, transcriptions, interactive card responses, files, calendar dates
  • Search queries: submitted queries
  • Learner Progress: Time, Completion data, Progress, Course and path assignments, Favorites
  • Device: Browser type, IP-address, Operating system, Location, Device type, MAC address
  • Activity: Event logs (e.g., action taken, event type, event location, timestamp, client UUID, user ID, and channel ID)
  • Cookies: Session information (e.g., frequency, average and actual duration, quantity, quality, network activity, and network connectivity)

Categories of Data Subjects:
Employees of Customer (learners/ users)

Bots & People  will process data as follows:

  • to create and maintain the learner’s Learning Hub account so they can always follow their learning progress, enroll to new learning journeys, and take part in online interactive live sessions 
  • to personalize the user’s experience on the Learning Hub 
  • to send the user/learner calendar invitations, confirmation and reminder emails when they enroll in a learning journey or live session hosted on the Bots & People Learning Hub
  • to send users occasional feedback/satisfaction rating emails where they may choose to voluntarily and anonymously rate the Bots & People service 
  • to answer support requests if learners submit one proactively to support@botsandpeople.com
  • upon request by customer/end user (learner) to support@botsandpeople.com, to erase all stored data about the learner

Attachment 2: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

TECHNICAL AND ORGANIZATIONAL MEASURES  

1. Introduction 

1.1. Controller and Processor

The Controller according to Art. 4 (7) EU General Data Protection Regulation (GDPR) is the Customer. The Processor is Bots & People, incorporated as Bots and People Product GmbH, Schlesische Str. 29, 10997 Berlin, Germany, e-mail: operations@botsandpeople.com. Legally represented by Nico Bitzer, Oliver Bohr.. 

1.2. Data Protection Officer 

Our data protection officer is heyData GmbH, Schützenstr. 5, 10117 Berlin, www.heydata.eu, e-mail: datenschutz@heydata.eu.  

1.3. Subject of the document 

This document summarizes the technical and organizational measures taken by the Processor within the meaning of Article 32 (1) of the GDPR. These are measures with which the Processor protects personal data. The purpose of the document is to support the Processor in fulfilling its accountability obligations under Art. 5 (2) GDPR.  

2. Confidentiality (Art. 32 (1)(b) GDPR) 

2.1. Entry control 

The following implemented measures prevent unauthorized persons from gaining access to the data processing facilities: 

  • Chip card/transponder locking system 
  • Key regulation / key book 
  • Visitors only accompanied by staff
     
2.2. Admission control 

The following implemented measures prevent unauthorized persons from accessing the data processing systems: 

  • Authentication with user and password 
  • Use of anti-virus software 
  • Management of user permissions 
  • Creation of user profiles 
  • Central password rules 
  • Use of 2-factor authentication 
  • Key control / key book
     
2.3. Access control 

The following implemented measures ensure that unauthorized persons do not have access to personal data: 

  • Use of an authorization concept 
  • Number of administrators is kept as small as possible 
  • Management of user rights by system administrators

4. Availability and resilience (Art. 32 (1) (b) GDPR) 

The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client: 

  • Regular backups 
  • Hosting (at least of the most important data) with a professional hoster
     

5. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR) 

5.1. Data protection management 

The following measures ensure that an organization that meets the basic requirements of data protection law is in place: 

  • Use of the heyData platform for data protection management 
  • Appointment of the data protection officer heyData 
  • Commitment of employees to data secrecy 
  • Regular training of employees in data protection 
  • Keeping an overview of processing activities (Art. 30 DSGVO) 
  • Conducting data protection impact assessments, if required (Art. 35 DSGVO)
     
5.2. Incident-Response-Management 

The following measures are intended to ensure that notification processes are triggered in the event of data privacy breaches: 

  • Notification process for data protection breaches pursuant to Art. 4 No. 12 GDPR vis-à-vis supervisory authorities (Art. 33 GDPR) 
  • Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO) 
  • Involvement of the data protection officer in security incidents and data mishaps 
  • Use of anti-virus software
     
5.3. Privacy-friendly default settings (Art. 25 (2) GDPR) 

The following implemented measures take into account the requirements of the principles "Privacy by design" and "Privacy by default": 

  • Training of employees in "Privacy by design" and "Privacy by default". 
  • No more personal data is collected than is necessary for the respective purpose.
5.4. Order supervision 

The following measures ensure that personal data can only be processed in accordance with the instructions: 

  • Written instructions to the contractor or instructions in text form (e.g. by Data Processing Agreement). 
  • Ensuring that data is destroyed after completion of the order, e.g. by requesting corresponding confirmations 
  • Confirmation from contractors that they commit their own employees to data secrecy (typically in the Data Processing Agreement)
Attachment 3: LIST OF SUB-PROCESSORS: The Customer (Controller) has authorised the use of the above mentioned sub-processors by the Processor