1. Purpose of this document

The customer has purchased a subscription from Formcentric GmbH for the use of the ‘Formcentric’ forms manager provided by Formcentric GmbH via the website, together with the associated storage space provided to the customer by Formcentric GmbH (‘service’). The service in question is a professional forms management system that can be used to represent and automate digital business processes. The service therefore allows the customer to utilise the forms on the ‘’ website or to embed these in the customer’s digital online presence and to manage the data entered into the forms by the users of the forms (‘users’). User data is stored on servers operated by Formcentric GmbH or its service providers in the European Union. In this context, personal data is also processed as defined by the EU General Data Protection Regulation (GDPR). To fulfil the provisions of the GDPR in such circumstances, the following commissioned data processing contract applies.

2. Purpose and scope of data processing

2.1 In the context of operating the service, Formcentric GmbH gains access to personal data that is owned by the customer and the customer’s users (collectively ‘customer data’). Formcentric GmbH will process this data solely as commissioned to do so and according to the customer’s instructions, pursuant to GDPR article 4(8) and article 28.

2.2 The processing of customer data by Formcentric GmbH is performed solely as specified in section 3(1) and (2), and according to the scope and purpose as specified there. The individuals considered as data subjects by this data processing are listed in section 3(3).

2.3 The processing of customer data takes place exclusively on the territory of the Federal Republic of Germany, in a Member State of the European Union or in another state that is party to the Agreement on the European Economic Area. Any outsourcing of this processing to a third country takes place only following the prior consent of the customer, which must be given in text form, and which may take place only if the specific requirements of GDPR articles 44 to 49 are fulfilled (e.g. adequacy decision by the Commission, standard data protection clauses, approved codes of conduct).

3. Nature and purpose of processing, nature of personal data and categories of data subjects

3.1 The nature and purpose of the commissioned data processing is the rendering of services in accordance with the subscription purchased by the customer, namely web hosting, and the associated and necessary processing operations relating to the forms as created by the customer’s form authors and as used by the customer’s end users:

- Administration of personal data for registration and for logins

- Storing of personal data

- Facilitating access to and the export of content hosted online as well as features for sharing with users

3.2 The collection, processing and/or use of personal data typically involves the following types and categories of data:

- Usernames and passwords of form authors and end users of the service

- Primary data (files and documents entered into the forms)

- Personal master data (e.g. name, salutation)

- Contact details (email addresses of form authors and end users)

- User content data

- Entries in the system log (relevant actions from end users), including the point in time of the last successful or unsuccessful login, truncated IP address, etc.

3.3 Categories of individuals considered data subjects by the handling of their personal data on the terms of this contract are typically the following:

- Customer form authors with active accounts

- End users of the service

3.4. Formcentric GmbH does not carry out any processing of customer data that deviates from or exceeds the processing as specified in the foregoing sections 3.1 and 3.2. This also applies to the use of anonymised data

4. Customer rights, duties and contractual authority

4.1 The customer bears sole responsibility for assessing the lawfulness of processing pursuant to GDPR article 6(1) and for honouring the rights of data subjects pursuant to GDPR articles 12 to 22. Where enquiries are clearly addressed to the customer, Formcentric GmbH will forward such enquiries to the former without delay.

4.2 Formcentric GmbH processes customer data only within the context of the subscription, and solely as commissioned and instructed to do so by the customer pursuant to GDPR article 28 (commissioned data processing). This applies in particular to the transfer of personal data to a third country or to an international organisation. Accordingly, the customer has the sole right to issue instructions concerning the nature, scope and method of processing activities (‘contractual authority’). If Formcentric GmbH is required to perform other types of processing by the law of the European Union or a member state to which Formcentric GmbH is subject, Formcentric GmbH will notify the customer of this and the underlying legal requirements before such processing begins.

4.3 ll instructions given by the customer must be made in text form. In the event of receiving verbal instructions, Formcentric GmbH shall confirm and document these instructions in text form. Changes to the subject of data processing and procedural changes must be coordinated and agreed between the parties, and documented in writing or in an electronic format. Formcentric GmbH is entitled to terminate processing if it would be unreasonable for Formcentric GmbH to follow an instruction received from the customer.

4.4 The customer shall treat all knowledge of Formcentric GmbH trade secrets and data protection measures, as gained by the customer within the context of the subscription, as strictly confidential. This obligation remains in force even after the subscription ends.

5. Duties of Formcentric GmbH

5.1 Formcentric GmbH will process personal data solely on the terms of the agreements made for the subscription and in accordance with customer instructions (section 4), unless and insofar as Formcentric GmbH is required to perform other processing as a result of the laws of the European Union or its Member States to which Formcentric GmbH is subject (e.g. investigations by public prosecutors or state security agencies). In the latter case, Formcentric GmbH will notify the customer of these legal requirements before processing starts, unless the law in question prohibits such a notification being made on important grounds of public interest (sentence 2 of point (a) of GDPR art. 28(3)).

5.2 Formcentric GmbH does not use the personal data entrusted to it for any purpose other than those envisaged in the subscription; use of this data for internal purposes is strictly prohibited. Copies or duplicates of the personal data will not be made without the customer’s knowledge, unless required for technical reasons in order to render the services as agreed.

5.3 Formcentric GmbH will maintain a record that lists all categories of processing activities conducted on the customer’s behalf, pursuant to GDPR article 30(2). This record will be made available to the customer at the latter’s request.

5.4 For the fulfilment of the rights of data subjects pursuant to GDPR articles 12 to 22 by the customer and compliance with the provisions of GDPR article 32 to 36, particularly in relation to the creation of a record of processing activities and any data protection impact assessments required from the customer, Formcentric GmbH will contribute as necessary and provide the customer with an appropriate level of support (points (e) and (f) of GDPR art. 28(3)). In the event of a data subject contacting Formcentric GmbH with a request to exercise their rights – in relation to accessing, rectifying or erasing their data, for example – Formcentric GmbH will forward such requests to the customer without delay and await the latter’s instructions. Formcentric GmbH will not contact the data subject before receiving instructions for this specific case.

5.5 In the event of Formcentric GmbH receiving a customer instruction (section 4) that, in its opinion, violates applicable laws (GDPR art. 28(3), subparagraph 2), Formcentric GmbH will inform the customer without delay and before processing starts. Formcentric GmbH is entitled to delay execution of the corresponding instruction until this has been confirmed or modified by the customer, following a review of the same.

5.6 Formcentric GmbH will rectify, erase or restrict the processing of personal data from the contractual relationship if the customer issues an instruction requiring such action to be taken and this action is not opposed by the legitimate interests of Formcentric GmbH.

5.7 Formcentric GmbH will fulfil requests for information from third parties or data subjects about personal data from the contractual relationship only after the customer’s prior instruction or consent.

5.8 Formcentric GmbH will observe strict confidentiality during the contractual processing of the customer’s personal data and will instruct those of its employees tasked with performing the work about the relevant data protection provisions before these employees begin such work. Appropriate measures will be taken to require employees to observe confidentiality during these activities and also after the end of their employment relationship (point (b) of GDPR art. 28(3) and GDPR art. 29).

5.9 If the data becomes threatened by Formcentric GmbH receiving a seizure of assets or confiscation order, or as a result of a bankruptcy or settlement proceedings, or other events or third-party actions, Formcentric GmbH will inform the customer of these matters without delay, unless the former is prohibited from doing so by order of a court or government agency. In such a case, Formcentric GmbH will inform the relevant authorities that the authority for making decisions about the data lies solely with the customer as the ‘controller’ in the sense as defined by the GDPR.

5.10 Formcentric GmbH will monitor compliance with the provisions of data protection law within its company.

5.11 The Data Protection Officer appointed by Formcentric GmbH is Mr/Ms

D&C Datenschutz und Consulting
Dirk Borbe
Belemannweg 15
22419 Hamburg
Telefon: +49 162 58 17 253

The customer will be informed without delay if a new Data Protection Officer is appointed. Contact details for the Data Protection Officer can also be obtained from the Formcentric GmbH website at

6. Duty of Formcentric GmbH to communicate faults in the processing of personal data as well as personal data breaches

Formcentric GmbH will notify the customer in writing or in text form and without delay concerning faults in personal data processing and violations of data protection law on the part of Formcentric GmbH or its employees, or breaches of contractual obligations, or in the event of suspected personal data breaches or irregularities relating to the processing of personal data. The same applies to audits of Formcentric GmbH conducted by the supervisory authority. The notifications will include the details as stated in GDPR article 33(3) as a minimum. Where necessary, Formcentric GmbH will provide the customer with appropriate support in fulfilling their duties pursuant to GDPR articles 33 and 34 (point (f) of GDPR art. 28(3)). However, Formcentric GmbH will provide customer notifications pursuant to GDPR article 33 or 34 only after prior instruction according to section 4.

7. Technical and organisational measures pursuant to GDPR article 32 (point (c) of GDPR art. 28(3))

7.1 For specific commissioned data processing activities, a level of security will be ensured that is appropriate to the risks threatening the rights and freedoms of the natural persons affected by the processing. As a minimum, this will account for the security goals of the confidentiality, availability and integrity of systems and services, as well as their resilience vis-à-vis the nature, scope, circumstances and purpose of processing, by implementing suitable technical and organisational measures so as to permanently mitigate these risks.

7.2 Formcentric GmbH will organise its internal business processes so as to ensure that these meet the specific requirements of data protection law. Formcentric GmbH will implement all suitable technical and organisational measures to provide an appropriate level of protection to customer data pursuant to GDPR article 32, and will maintain these measures for the duration of customer data processing. The current technical and organisational measures implemented by Formcentric GmbH can be viewed at the link below.

technical and organisational measures

7.3 The measures taken by Formcentric GmbH may be modified during the contractual relationship to reflect technical and organisational developments but will never fall below the level of protection required pursuant to GDPR article 32.

8. Engagement of other processors as subcontractors (point (d) of GDPR art. 28(3))

8.1 The customer hereby consents to the engagement by Formcentric GmbH of one or more processors as subcontractors (‘subcontracted processors’) to carry out commissioned data processing activities involving personal data on behalf of Formcentric GmbH.

8.2 Formcentric GmbH will engage such subcontracted processors only after notifying the customer in writing or in text form about its intention to change its processing activities by commissioning or replacing other processors. Formcentric GmbH will notify the customer of the processor’s name and address, and the envisaged activity it will be tasked with. The customer is entitled to raise an objection to changes of this nature within 14 days of receiving the notification from Formcentric GmbH (GDPR art. 28(2)). The customer may object to the engagement/replacement of a subcontracted processor only on objective grounds.

8.3 Formcentric GmbH will take care to ensure that the provisions agreed in this commissioned data processing contract also apply to its subcontracted processors, with the customer being granted full monitoring and audit rights vis-à-vis the subcontracted processor according to section 9 of this contract. In particular, the customer is entitled to conduct appropriate audits and inspections of subcontracted processors as necessary, including site visits, or to engage third parties to conduct such checks on the customer’s behalf.

8.4 The contract with the subcontracted processor will be documented in writing or in text form (GDPR art. 28(4) and (9)).

8.5 Processors in third countries will be subcontracted only if the specific requirements pursuant to GDPR article 44 ff. have been met (e.g. adequacy decision by the Commission, standard data protection clauses, approved codes of conduct).

8.6 The foregoing provisions apply mutatis mutandis if the subcontracted processor also wishes to engage other processors as subcontractors.

8.7 As of this writing, the subcontractors as listed below have been engaged by Formcentric GmbH for the purpose of personal data processing within the stated scope.

Schwarz IT KG
Stiftsbergstraße 1
D-74172 Neckarsulm
Tel 07132-30-474747

The customer hereby consents to their engagement by Formcentric GmbH.

9. Audit and monitoring rights

9.1 Formcentric GmbH will provide the customer with the information necessary to prove its fulfilment of the duties as set out in GDPR article 28. In individual cases, the customer is entitled to verify compliance with the provisions of this commissioned data processing contract by conducting audits, also by means of on-site inspections conducted by the customer or competent third parties engaged by the customer who are not competitors of Formcentric GmbH.

9.2 The customer shall conduct such audits only within the scope as required and normally following prior notification, while also properly accounting for the business processes and hours of business at Formcentric GmbH. In exceptional cases, the customer may conduct an audit without prior notification if this appears necessary to avoid compromising the purpose of the audit.

9.3 The customer shall document the results of the audit and notify these to Formcentric GmbH. If the customer identifies errors or irregularities, the customer shall inform Formcentric GmbH of these without delay. If an audit discovers circumstances that would require changes to the agreed procedures in order to avoid such circumstances in the future, the customer shall notify Formcentric GmbH of the necessary procedural changes without delay.

10. Term and notice of termination

10.1 The duration of commissioned data processing corresponds to the term of the subscription and ends at the same time as the latter without a separate notice of termination being required.

10.2 The customer may terminate commissioned data processing at any time without notice in the event of Formcentric GmbH committing a serious breach of data protection provisions or the provisions of this commissioned data processing contract, or Formcentric GmbH being unable or unwilling to follow a customer instruction pursuant to the provisions of this contract, or Formcentric GmbH refusing to honour the customer’s audit and monitoring rights (section 9) as granted by this contract.

11. Post-contractual obligations of Formcentric GmbH

11.1 Following the termination of the subscription, Formcentric GmbH will completely and permanently erase all personal data of the customer and their end users, unless a legal retention period is applicable to such data.

11.2 Formcentric GmbH will notify the customer of the erasure of this data in a documented electronic format.

12. Liability

12.1 In the event of a data subject asserting their right to claim compensation pursuant to GDPR article 82, the parties shall provide each other with support and contribute to a clarification of the contributory circumstances.

12.2 The liability provisions agreed between the parties in the subscription also apply to claims arising from this commissioned data processing contract.

13. Final provisions

13.1 Changes and amendments to this commissioned data processing contract must be made in writing or in text form. This also applies to waivers of this written/text form requirement.

13.2 In case of doubt, the provisions of this commissioned data processing contract take precedence over the subscription provisions. Should individual provisions of this commissioned data processing contract prove to be invalid or unenforceable, whether in whole or in part, or become invalid or unenforceable as a result of changes to legislation following contract conclusion, this does not affect the validity of the remaining provisions. Instead of the invalid or unenforceable provision, a valid and enforceable provision will be agreed that most closely approximates the intent and purpose of the untenable provision.

13.3 This commissioned data processing contract is subject to German law. The sole place of jurisdiction is Hamburg.