General Terms and Conditions (GTC) of nordsec Privacy & Compliance GmbH
Section 1: Scope
1.1 These General Terms and Conditions (GTC) apply to all contracts for data protection services, particularly for the services Essential, Compliance+, Enterprise+, and their Social variants. The data protection services are available for all businesses located in Germany. The Social variants are specifically tailored for daycare centers, social institutions, non-profit organizations, and sports clubs.
1.2 Deviating, conflicting, or supplementary terms and conditions of the Client will not become part of the agreement unless explicitly agreed upon in writing.
Section 2: Contract Formation and Term
2.1 The contract is concluded upon the signing of the consulting agreement by both parties.
2.2 The minimum contract term is 36 months and is automatically extended by 12 months unless terminated in writing with 3 months' notice prior to the end of the term.
Section 3: Scope of Services
3.1 The scope of services is determined by the selected service (Essential, Compliance+, Enterprise+, or their Social variants). Under the Essential service, the Client independently maintains the records of processing activities and technical-organizational measures (TOMs). Support is provided only upon request and billed separately.
3.2 Data protection audits include a comprehensive review of the documents provided by the Client. For the Essential and Essential Social services, the Client is responsible for independently providing these documents.
3.3 Data Protection Impact Assessments (DPIAs) are included starting with the Enterprise+ service. Efforts up to 3 hours for a DPIA are included in the service. Additional efforts will be invoiced separately.
3.4 Response times are governed by the Service Level Agreements (SLAs) of the respective service:
Essential: Response time of 3 business days.
Compliance+: Response time of 1 business day.
Enterprise+: Response time of 4 hours (during business hours).
3.5 nordsec Privacy & Compliance GmbH’s business hours are Monday to Friday, 9:00 AM to 5:00 PM, excluding public holidays.
Section 4: Client Obligations
4.1 The Client must provide all documents and information required for service delivery promptly and completely.
4.2 The Client must promptly inform the Consultant of any potential issues or challenges that may pose risks.
4.3 Delays caused by the Client’s failure to meet their obligations entitle the Consultant to adjust timelines and invoice additional expenses incurred.
4.4 The Consultant will provide the Client with regular service reports. Services are deemed accepted unless the Client raises objections in writing within 10 business days.
4.5 If delays occur due to the Client’s failure to provide required materials or information, the Consultant may invoice additional costs and extend service timelines accordingly.
Section 5: Compensation and Payment Terms
5.1 Fees are determined by the selected service and are invoiced annually or monthly in advance.
5.2 A surcharge of €30 per month applies for monthly payment plans.
5.3 Statements and correspondence with data protection authorities are invoiced separately based on actual effort.
5.4 All templates and documents provided by the Consultant remain the intellectual property of nordsec Privacy & Compliance GmbH and may only be used within the scope of the contract. Distribution to third parties is prohibited.
5.5 All prices are exclusive of statutory VAT.
5.6 Invoices are due immediately upon receipt without deduction.
5.7 Late payments incur interest of 9 percentage points above the base rate. The Consultant reserves the right to suspend services until full payment is received. Claims may be assigned to or sold to third parties if payment delays exceed 60 days, with prior written notice to the Client.
5.8 If legal changes substantially alter the conditions of the agreed services, the Consultant may adjust prices accordingly with prior notice to the Client.
5.9 Changes to the scope of services requested by the Client after contract conclusion require a separate agreement and will be billed based on additional effort.
Section 6: Liability and Warranty
6.1 The Consultant is liable only for intent and gross negligence.
6.2 Liability for slight negligence is excluded unless it involves the breach of essential contractual obligations. In such cases, liability is limited to foreseeable damages typical of the contract.
6.3 The Consultant maintains professional liability insurance with coverage of up to €5 million per incident.
6.4 The Consultant is not liable for data loss; the Client is responsible for regular backups.
6.5 Liability for data loss is limited to restoration efforts based on proper and regular backups by the Client.
6.6 The Consultant is not liable for communication delays or errors due to technical issues unless caused by willful misconduct or gross negligence.
6.7 Indirect damages, lost profits, production downtime, or operational interruptions are excluded from liability unless caused by intent or gross negligence.
Section 7: Data Processing and Protection
7.1 The Consultant processes personal data solely for the agreed services and in compliance with GDPR requirements.
7.2 A Data Processing Agreement (DPA) is concluded and forms part of this contract.
7.3 The Consultant ensures all necessary technical and organizational measures (TOMs) to protect processed data.
7.4 Both parties must promptly inform each other of any known security incidents. The Consultant adheres to GDPR reporting obligations within 72 hours.
Section 8: Confidentiality
8.1 Both parties commit to treating all information disclosed during the contract as confidential and not disclosing it to third parties.
8.2 This obligation continues for 5 years after contract termination.
8.3 The Consultant may use the Client’s name as a reference in promotional materials unless the Client objects.
Section 9: Termination and Cancellation
9.1 The Client may terminate the contract if the Consultant fails to meet contractual obligations and a reasonable grace period expires without remedy.
9.2 In the event of cancellation, completed work will be invoiced proportionally.
Section 10: Technical Issues and Force Majeure
10.1 The Consultant is not liable for service interruptions due to force majeure, technical issues, or third-party failures (e.g., hosting providers).
10.2 Support requests are handled during business hours unless otherwise agreed.
Section 11: Mitigation of Damages
11.1 The Client must take reasonable steps to mitigate damages in case of foreseeable harm.
Section 12: Subcontractors
12.1 The Consultant may engage subcontractors to perform services while remaining responsible for fulfilling contractual obligations.
Section 13: Amendments
13.1 Changes to the contract must be in writing, including any waiver of the written form requirement.
Section 14: Governing Law and Jurisdiction
14.1 German law governs all legal relationships between the parties.
14.2 Kiel is the exclusive jurisdiction for disputes arising from this contract.
14.3 Claims under this contract expire within 12 months of the event giving rise to the claim unless caused by intent or gross negligence, where a statutory limitation period of 3 years applies.
Final Provisions
nordsec Privacy & Compliance GmbH reserves the right to amend these GTC with at least 4 weeks’ notice to the Client. Updated terms are available at www.nordsec-it.de/gtc and are effective as of January 6, 2025.