Privacy Policy

Data Protection and Data Security Provisions (DP&DSPs)
for the Commissioned Collection, Processing or Use of Personal Data
(§ 11 Bundesdatenschutzgesetz – BDSG - Federal Data Protection Act - FDPA)
at CAS Software AG, Karlsruhe

- hereinafter called CAS -


The following Data Protection and Data Security Provisions (DP&DSPs) apply to all services or activities in connection with which either CAS, any persons assigned by it or any subcontractors instructed by CAS are, with the consent of the client, commissioned to collect, process or use personal data (§ 11, para. 1, FDPA). The DP&DSPs also apply in regard to the inspection or maintenance of automated procedures or data processing systems where the possibility of access to personal data cannot be excluded (§ 11, para. 5, FDPA). These provisions also apply correspondingly for all other data processed on commission, irrespective of the legal form, in particular for customer data or the client's own data or data of its employees, including where the following provisions relate expressly to personal data.

1. Technical and Organizational Measures

CAS will, upon the request of the client, document to the latter prior to the award of the contract that the specified technical and organizational measures have been implemented, in particular in relation to the performance of the specific contract, and submit the same to the client for examination. If accepted by the client, the documented measures will become the basis of the contract. Should the examination / any audit by the client reveal the necessity of an adjustment to the same, this is to be implemented by mutual consent.
Overall, the measures to be taken represent measures which are not specific to the contract and which relate to control of admittance, entry, access, transfer, input, order and availability as well as the necessity of separation (see Annex 2 Technical and Organizational Measures). Order-specific measures, in particular in relation to the nature of the exchange of data / provision of data, the nature and circumstances of the processing / data storage and also the nature and circumstances of output / data transmission etc. will be stipulated separately in writing.
The technical and organizational measures will evolve with technical progress and further development. In this respect, CAS reserves the right to implement appropriate alternative measures. These will not fall short of the security level of measures previously stipulated. Any significant changes will be documented. Upon request, CAS will provide the client with the details under § 4g, para. 2, 1st sentence, FDPA.

2. Correction, Blocking and Deletion of Data

CAS will only correct, delete or block the data processed on commission in accordance with the instructions of the client. Should any person concerned apply directly to CAS for the purpose of correction or deletion of his data, CAS will pass on this request to the client without delay.

3. Controls and other duties of CAS

Independent of the respective contract, CAS observes the following duties under § 11, para. 4, FDPA:

  • Written appointment of a data protection officer who performs his duties in accordance with § 4f, § 4g FDPA. The contact data of this officer will be provided to the client to enable it to establish direct contact.
  • Observance of data secrecy in accordance with § 5 FDPA. All persons who may have access to the personal data of the client in the performance of their tasks are to be placed under an obligation of data secrecy and instructed as to any special data protection duties arising from the respective order and also the commitment to comply with instructions and any restrictions on the purpose of use.
  • The implementation of and compliance with all technical and organizational measures necessary for the respective contract in accordance with § 9 FDPA and the Annex.
  • Immediate notification to the client of any actions or measures of control taken by the supervisory body under § 38 FDPA. This also applies where a competent authority carries out investigations at CAS under § 43, § 44 FDPA.
  • The performance of order supervision by means of regular checks carried out by CAS in regard to the execution and performance of the contract, in particular compliance with and, where appropriate, any adjustment of the arrangements and measures for the performance of the orders.
  • Submission of proof to the client of the technical and organizational measures taken. For this purpose, CAS may also provide the client with current documentation from independent bodies (e.g. data protection officer).

4. Subcontracting

Where subcontractors are involved in the processing or use of personal data of the client, this takes place subject to the following conditions:

  • As a basic principle, CAS will only instruct subcontractors subject to the written consent of the client. Without such written consent, CAS may, for the purpose of performance of the contract, employ affiliated companies subject to compliance with the duty of order supervision set out in Clause 3 and also, in individual cases, other subcontractors subject to observance of the degree of care stipulated by law. The client will be notified of this prior to commencement of the processing or use.
  • CAS will draft the contractual agreements with the subcontractor(s) in such manner that they correspond to the data protection provisions applicable in the contractual relationship between the client and CAS.
    Not to be understood as subcontractor relationships within the meaning of these DP&DSPs are services of third parties of which CAS avails itself, such as ancillary services in support of the performance of the order. These include e.g. telecommunications services, maintenance and user services, services provided by cleaning staff, inspectors or services in connection with the disposal of data media. However, also in the case of outsourced ancillary services, CAS undertakes to conclude any such contractual agreements in conformity with the law and also to take control measures in order to guarantee the protection and security of the data of the client.

5. Control Rights of the Client

The client has the right in liaison with CAS to carry out the order control provided for in no. 6 of the Annex to § 9 FDPA or to have the same carried out by inspectors to be nominated in any individual case. It has the right to satisfy itself, through random sample checks which are, as a rule, to be announced a reasonable time in advance, of compliance by CAS with these DP&DSPs in its business operations. CAS undertakes upon request to provide the client with the necessary information and to make available to it the corresponding documentary proofs in fulfillment of its obligation of order control.
In regard to the duties of control by the client under § 11, para. 2, 4th sentence, FDPA prior to the commencement of the data processing and during the term of the contract, CAS shall ensure that the client will be in a position to satisfy itself of compliance with the technical and organizational measures taken. In this connection, CAS will, upon request, provide the client with proof of the implementation of the technical and organizational measures in accordance with § 9 FDPA and the Annex. In this respect, proof of implementation of such measures which do not relate just to the specific order may also be furnished through submission of a current certificate or from reports or extracts from reports of independent bodies (e.g. data protection officer).

6. Notification in the Case of Breaches by CAS

CAS shall in all cases make a report to the client if any breaches have occurred, either through CAS itself or the persons employed by it, of any provisions for the protection of personal data of the client or of the stipulations laid down in the commission order. The parties are aware that under § 42a FDPA, duties of notification may arise in the case of any loss or unlawful transmission or acquisition of knowledge of personal data. Accordingly, any such occurrences will be notified to the client without delay, irrespective of the cause. This shall also apply in the case of serious disruptions of the business operations, in the case of suspicion of any other breaches of the provisions governing the protection of personal data or any other irregularities in connection with the handling of personal data of the client. In liaison with the client, CAS will take appropriate measures to secure the data and also to minimize any possible consequences for the persons concerned. To the extent that the client has any obligations under § 42a FDPA, CAS will support the client in this connection.

7. Power of the Client to Issue Instructions

The data is to be handled exclusively within the scope of the agreements made and in accordance with the instructions of the client (see § 11, para. 3, 1st sentence FDPA). Within the scope of the commission description to be laid down, the client may specify in detail its power to issue instructions in regard to the nature, scope and procedures of the data processing through the issue of individual instructions. Any changes to the subject of the processing or any changes to procedures are to be mutually agreed and documented. CAS will only issue information to third parties or to any party concerned following the prior written consent of the client.
CAS expects the client to confirm any verbal instructions in writing or by e-mail (in text form) without delay. CAS will not use the data for any other purposes and, in particular, will not pass the data on to any third parties. No copies or duplicates will be prepared without the knowledge of the client. Excepted herefrom are backup copies in so far as such are necessary to ensure proper data processing and also any data necessary in regard to compliance with statutory duties of preservation.
CAS will inform the client without delay in accordance with § 11, para. 3, 2nd sentence, FDPA if it is of the opinion that its instructions might infringe any data protection provisions. CAS shall be entitled to suspend compliance with the corresponding instructions until they have been confirmed or changed by the person responsible at the client.

8. Deletion of Data and Return of Data Media

Following completion of the work under the contract or earlier upon demand by the client, but at the latest at the end of the contract, CAS will hand over to the client all documents and results of processing and use prepared which may have come into its possession, as well as all data files associated with the commission relationship, or will destroy them following prior consent in compliance with data protection requirements. The same applies for test and scrap material. The protocol documenting the deletion will be submitted upon demand. Documentation serving to prove that the data processing was properly carried out in accordance with the terms of the commission will be preserved by CAS beyond the end of the contract in accordance with the respective periods of preservation. CAS may pass the same to the client at the end of the contract with the effect of discharging its obligations in this connection.

9. Processing and Use of the Data

The data will be processed and used exclusively in the territory of the Federal Republic of Germany, in any member state of the European Union or in any other signatory state to the Agreement on the European Economic Area. Any transfer of such processing or use to a third country may only take place following the prior consent of the client and only if the special pre-requisites of § 4b and § 4c FDPA are fulfilled.

CAS Software AG
Status: January 2012

Annex to the DP&DSPs of the CAS Software AG, Karlsruhe

Technical and Organizational
Measures under § 9 FDPA and Annex

For reasons of corporate security (Data Protection and Data Security), CAS refrains at this point from specifying further detailed information concerning the implementation of the technical and organizational measures as prescribed by law and practiced in the corporation.
In response to any legitimate request, these details will be provided by CAS for examination upon receipt of a duly signed non-disclosure agreement.