1. Preamble

1.1. consentmanager (consentmanager GmbH for Germany, Austria and Switzerland, consentmanager SAS for France and Belgium or consentmanager AB for all other countries), hereafter named „consentmanager", offers a platform for gathering consent from website or app visitors via the Internet (www.consentmanager.net, www.consentmanager.de, www.consentmanager.fr and other URLs) (below: CMP).
1.2. You, as the contractual partner, utilize this service as an operator of a website or app (hereinafter referred to as: “client”). You have full legal competence or are represented by a legal representative who has full legal competence.
1.3. This General Terms and Conditions regulate the collaboration between Consentmanager and the client.
1.4. In order to use the CMP, the client applys for an account on the consentmanager website. Applying for an account constitutes a contractual relationship between consentmanager and the client. consentmanager is free to reject any account without giving reasons.
1.5 In addition to this contract, the data processing contract contained in Annex 1 also applies.

2. General

2.1. The General Terms and Conditions apply that are currently published at www.consentmanager.net. consentmanager reserves the right to change the General Terms and Conditions at any time.
2.2. The client will be notified in writing, by e-mail or in another suitable manner about any changes in the General Terms and Conditions. They shall be considered as accepted if the client does not object within a period of 2 weeks upon the notification. With the notification, consentmanager shall point out expressly to the client this consequence of his conduct. The right of the client to withdraw from the contract due to the change in the General Terms and Conditions remains unaffected therefrom.

3. Package details & Service

3.1 The service is free of charge up to a monthly amount of 5,000 pageviews.
3.2 If the amount of pageviews within a certain calendar month exceeds the amount of 5,000 pageviews, consentmanager will stop the service for this client for this month. This means, the CMP will no longer be delivered to the client's website or app, reports will not be generated and automatic crawls will not be performed.
3.3 The package features are displayed on the www.consentmanager.net website. consentmanager is free to change the package details and features at any time without notice.
3.4 consentmanager remains the right to extend, modify or cancel its free services at any time without giving any reason.
3.5 The client is only allowed to use 1 (one) free Demo or Basic account. If the client wants to use more accounts, they will need to switch to a paid package.
3.6 The client is not allowed to (re-)sell, sublicense, bundle or otherwise offer a consentmanager account. The client is now allowed to offer services that are in conjunction with an account or that include an account in any way. If the client wants to bundle, resell or offer its own services around a consentmanager account (e.g. as an agency), the client must sign a separate partner agreement with consentmanager.

4. Intellectual property, Liability, Data privacy

4.1 The ownership and copyright of the software supplied by consentmanager, the printed material and all copies of the software are the responsibility of the software manufacturer. The software is protected by copyright and international treaty provisions. The client shall therefore treat the software as any other copyrighted material.
4.2 The client hereby expressly agrees that consentmanager may designate the client in consentmanager's advertising or to third parties as a reference.
4.3 The client acknowledges that consentmanager only provides a certain service (e.g. collecting consent from visitors, protocol consent information for later proof in case of vindication, providing consent information to third parties using a standard API) and does not guarantee non-liability to third parties by using the service. Furthermore consentmanager or the usage of this service cannot guarantee that, e.g. by using the service on the client’s website, the client is fully compliant to general data protection regulation(s) or other data regulations in their country or region. The service provided by consentmanager may only be seen as a piece of a juristically solution.
4.4 The client acknowledges that consentmanager is not liable for any issues or problems that occur on the clients' website in conjunction with consentmanager's services. Claims for damages of any kind, for whatever legal reason, including damages resulting from the use of software on data, software or hardware of the user are excluded, unless the damage is caused intentionally or through gross negligence. This does not apply if the damage was caused by the violation of a cardinal obligation by consentmanager. consentmanager is only obliged to repair or replace goods if the client has completely fulfilled his contractual obligations. All claims against consentmanager are not assignable without written consent and can only be asserted by the client. consentmanager is liable for damages resulting from errors in the programming, software, hardware or other components of the system up to a maximum sum of 3 monthly bills of the client. The calculation is based on the average invoices of consentmanager to the client for the last 12 months.
4.5 The client is not allowed to download or cache any of the files/URLs provided by consentmanager’s services if not declared otherwise (e.g. by using HTTP headers).

5. Final Provisions

5.1 If any provision (or part of a provision) of this agreement is invalid, illegal or unenforceable, the rest of the agreement will remain in effect.
5.2 Place of performance and jurisdiction for all obligations and disputes arising under the contract, termination and settlement is, provided that there are no compelling legal reasons, for both parties Hamburg, Germany.

Annex 1: Data processing contract

between consentmanager as processor (hereinafter referred to as “consentmanager”) and the client as the data controller/responsible.

Preamble

The client would like to commission consentmanager with the services specified in § 3. Part of the contract execution is the processing of personal data. In particular, Art. 28 GDPR places certain demands on such an order processing. In order to comply with these requirements, the parties conclude the following agreement, the fulfillment of which is not separately remunerated, unless expressly agreed.

1. Definitions

1. In accordance with Art. 4 (7) GDPR, the person responsible or data controller is the one who, alone or together with other responsible persons, decides on the purposes and means of processing personal data.
2. According to Art. 4 (8) GDPR, the processor is a natural or legal person, public authority, institution or other body that processes personal data on behalf of the person responsible.
3. According to Art. 4 Para. 1 GDPR, personal data are all information that relate to an identified or identifiable natural person (hereinafter referred to as “data subject”); a natural person is considered to be identifiable when he/she can be identified, directly or indirectly, and in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more specific features, that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
4. Particularly vulnerable personal data are personal data in accordance with Art. 9 GDPR, which show the racial and ethnic origin, political opinions, religious or ideological convictions or trade union affiliation of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offences or related safeguards as well as genetic data according to Art. 4 Para. 13 GDPR, biometric data according to Art. 4 Para. 14 GDPR, health data according to Art. 4 Para. 15 GDPR as well as data on the sex life or the sexual orientation of a natural person.
5. Processing is, in accordance with Art. 4 (2) of the GDPR, any process or series of operations performed with or without the aid of automated procedures in relation to personal data such as the elicitation, collection, organization, order, storage, adaptation or modification, reading out, querying, using, disclosing through transmission, dissemination or any other form of provision, reconciliation or association, restriction, deletion or obliteration.
6. According to Art. 4 (21) GDPR, the supervisory authority is an independent state agency established by a Member State pursuant to Art. 51 GDPR.

2. Specification of the competent data protection supervisory authority

1. The responsible supervisory authority for the client is the country representative for data protection or a similar body at the client's headquarters.
2. Responsible supervisory authority for consentmanager is the German Data Protection Authority in Hamburg.
3. The client and consentmanager and, if necessary, their representatives work, on request, together with the supervisory authority to fulfill their duties.

3. Contract Object

1. consentmanager will provide services to the client on the basis of the contract between the parties (“Main Contract”). In doing so, consentmanager gains access to personal data and processes it exclusively on behalf of and according to the instructions of the client. The scope and purpose of the data processing by consentmanager result from the Main Contract (and the associated service description). The client is responsible for the assessment of the admissibility of the data processing.
2. The parties conclude this agreement to clarify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement take precedence over the provisions of the Main Contract.
3. The terms of this Agreement shall apply to all activities related to the Main Contract in which consentmanager and its employees, or consentmanager agents, that come into contact with personal data originating from or collected for the client.
4. The term of this contract is based on the duration of the Main Contract, provided that the following provisions do not result in obligations or termination rights beyond it.

4. Right of instruction

1. consentmanager may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the client; This applies in particular to the transfer of personal data to a third country or to an international organization. If consentmanager is obliged to further processing by the law of the European Union, or of the Member States to which it is subject, he shall inform the client of these legal requirements prior to processing.
2. The instructions of the client are initially determined by this contract and can then be changed, supplemented or replaced by the client in written form or in text form by individual instructions (individual instruction). The client is entitled to issue corresponding instructions at any time. This includes instructions regarding the rectification, deletion and blocking of data. The authorized persons are listed in Annex 1.4. In the case of a change or a longer-term absence of named persons, the contracting party must be notified immediately in text form of the successor or representative.
3. All instructions given must be documented by both the client and consentmanager. Instructions that go beyond the performance agreed in the Main Contract are treated as an application for a change in performance. consentmanager must inform and get confirmation from the client if they regard this as a change in performance and of any pricing or other implications of this before implementing the change.
4. If consentmanager believes that a client's instruction violates data protection regulations, consentmanager must inform the client immediately. consentmanager is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the client. consentmanager may refuse to carry out an evidently illegal instruction.

5. Type of processed data, data subjects concerned

1. As part of the execution of the Main Contract, consentmanager will have access to the personal information specified in Annex 1.1. These data include the specific categories of personal data listed in Appendix 1.1 and identified as such.
2. The group of data processors is given in Appendix 1.2.

6. Protective measures by consentmanager

1. consentmanager is obliged to comply with the statutory provisions on data protection and not to pass on the information obtained from the area of the client to third parties or to expose them to their access. Documents and data are to be secured against the knowledge of unauthorized persons by taking into account the generally acknowledged state of the art.
2. In his area of responsibility, consentmanager will design the in-house organization in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organizational measures to adequately protect the client's data in accordance with Art. 32 GDPR, in particular at least the measures of access control listed in Appendix 1.3.
3. consentmanager reserves the right to change the security measures taken, with consentmanager ensuring that the contractually agreed level of protection is not lowered.
4. At consentmanager the company contact person for data protection is: Götz Sielk (goetz@consentmanager.net).
5. The persons employed in the data processing by consentmanager are prohibited from collecting, processing or using personal data without authorization. consentmanager will oblige all persons entrusted by consentmanager with the processing and fulfillment of this contract (hereinafter referred to as employees) (obligation of confidentiality, Art. 28 Para. 3 lit. b GDPR) and ensure with due diligence the compliance with this obligation. These obligations must be such that they will persist even after the termination of this contract or the employment relationship between the employee and consentmanager. consentmanager shall be required to prove the obligations on request by the client in an appropriate manner.

7. Information requirements of consentmanager

1. In the event of any disruption, suspicion of breaches of privacy or breaches of contractual obligations by consentmanager, suspected security incidents or other irregularities in the processing of personal data by consentmanager, persons employed by it or by third parties, consentmanager shall promptly notify the client in writing. The same applies to examinations of consentmanager by the data protection supervisory authority. The personal data breach message contains at least the following information:
a) a description of the nature of the breach of the protection of personal data, indicating, where possible, the categories and the number of data subjects, the categories concerned and the number of personal data records involved;
b) a description of the remedial action taken or proposed by consentmanager and, where appropriate, measures to mitigate its potential adverse effects.
2. consentmanager immediately takes the necessary measures to safeguard the data and to mitigate the potential adverse effects of those affected, informs the client about this and requests further instructions.
3. In addition, consentmanager is obliged to provide the client with information at any time, as far as its data is affected by an infringement according to paragraph 1.
4. If third-party measures are jeopardized, consentmanager must inform the client without delay, unless consentmanager is prohibited by court or an administrative order. In connection with this, consentmanager will immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the client as “responsible person” within the meaning of the GDPR.
5. consentmanager must notify the client immediately of significant changes to the security measures.
6. A change in the person of the company data protection officer / contact person for the data protection has to be disclosed to the client immediately.
7. consentmanager and, if applicable, its representative keep a record of all categories of processing activities carried out on behalf of the client, which contain all the information required by Article 30 (2) GDPR. On request, the directory must be made available to the client.
8. consentmanager must cooperate to a reasonable extent in the preparation of the procedural directory by the client. It has to provide the client with the necessary information in a suitable manner.

8. Control rights of the client

1. The client convinces himself before starting the data processing and then regularly (annually) from the technical and organizational measures of consentmanager. For this purpose, he/she may, for example obtain information from consentmanager, request the presentation of existing certificates from experts, certifications or internal audits, or check the technical and organizational measures of consentmanager personally or have them checked by a competent third party after timely coordination during normal business hours, or this third party is not in competition with consentmanager. The client will only perform controls to the extent necessary and will not disproportionately disrupt the operational activities of consentmanager.
2. consentmanager undertakes to provide the client with all information and evidence necessary to carry out a review of consentmanager's technical and organizational measures, within a reasonable period of time, at his/her written or verbal request.
3. The client documents the inspection result and informs consentmanager about it. In the event of errors or irregularities which the client determines, in particular when checking the results of an order, he/she must inform consentmanager immediately. If, during the inspection, circumstances are identified whose future avoidance requires changes to the order of procedure, the client shall notify consentmanager of the necessary procedural changes without delay.
4. Upon request, consentmanager provides the client with a comprehensive and up-to-date data protection and security concept for order processing and authorized persons.
5. On request, consentmanager will prove to the client the obligation of the employees according to § 6 paragraph 4.

9. Use of subcontractors

1. The contractually agreed services or the partial services described below may be carried out by subcontractors listed in Appendix 1.5. consentmanager is authorized to create further subcontracting relationships with sub-contractors (“subcontractor relationship”) as part of its contractual obligations. consentmanager is required to carefully select subcontractors for their suitability and reliability. consentmanager will inform the client immediately if new subcontractors are used. The client therefore has a right to reject new subcontractors within one week upon notification. consentmanager has the obligation to engage subcontractors in accordance with the terms of this Agreement, and to ensure that the client is able to exercise his/her rights under this Agreement (in particular, his/her audit and control rights) directly with subcontractors. If subcontractors from a third country are to be included, consentmanager must ensure that the respective subcontractor has an adequate level of data protection (e. g. by concluding an agreement based on EU standard data protection clauses). Upon request, consentmanager will prove to the client the conclusion of the afore-mentioned agreements with his subcontractors.
2. A subcontracting relationship within the meaning of these provisions does not exist if consentmanager entrusts third parties with services that are to be regarded as mere fringe benefits. These include, for example, postal, transport and shipping services, cleaning services, telecommunication services without specific reference to services that consentmanager provides for the client and security services. Maintenance and testing services represent subcontractor agreements subject to approval, if these are provided for IT systems that are also used in connection with the provision of services for the client.

10. Inquiries and rights of those affected

1. consentmanager supports the client as far as possible with suitable technical and organizational measures in the fulfillment of its obligations under Art. 12-22 as well as 32 to 36 GDPR.
2. If an affected person asserts rights, such as information, rectification or deletion of his/her data, directly against consentmanager, consentmanager does not react independently, but refers the person concerned without delay to the client and waits for his instructions.

11. Liability

1. consentmanager acknowledges that if a Data Subject has suffered damage as a result of any breach of consentmanager's or any of its sub-processors' obligations referred to in this DPA, consentmanager may be responsible to pay any fines or compensation that might arise as a result of the breach.
2. If the Client has paid such compensation or fine, as written above, due to a breach by consentmanager of its obligations referred to in this DPA, the Client is entitled to issue a claim against the consentmanager in turn.
3. The Client acknowledges that if a Data Subject has suffered damage as a result of any breach of the Client's obligations referred to in this DPA, the Client may be responsible to pay any fines or compensation that might arise as a result of the breach.
4. If consentmanager has paid such compensation or fine, as written above, due to a breach by the Client of its obligations referred to in this DPA, consentmanager is entitled to issue a claim against the Client in turn.
5. In each case, the parties release themselves from liability, if a party proves that they are in no way responsible for the circumstances in which the damage occurred to a Data subject.

12. Extraordinary right of termination

1. The client may terminate the Main Contract without notice in whole or in part, if consentmanager does not fulfill its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or cannot or will not carry out an instruction of the client. In the case of simple – i.e. neither intentional nor grossly negligent – infringements the client sets consentmanager a reasonable period within which consentmanager can stop the infringement.

13. Termination of the Main Contract

1. consentmanager will give all documents, data and data carriers, provided to it by the client, back to the client after the completion of the Main Contract or at any time at the clients request or delete them at the clients request ¡V unless there is an obligation under EU law. This also applies to any backups at consentmanager. consentmanager must have the documented proof of the orderly deletion of still existing data. Documents to be disposed of must be destroyed using a document shredder in accordance with DIN 32757-1. Media to be disposed of must be destroyed in accordance with DIN 66399.
2. The client has the right to control the complete and contractual return or deletion of the data at consentmanager in an appropriate manner.
3. consentmanager is required to treat the data disclosed to consentmanager in connection with the Main Contract as confidential even after the termination of the Main Contract. The present contract will continue to apply beyond the end of the Main Contract as long as consentmanager has personal information submitted by or collected by consentmanager.

14. Final provisions

1. Changes and additions to this agreement must be made in writing. Changes and additions to this agreement must be in writing. The writing requirement also applies to the waiver of the written form.
2. If individual provisions of this agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
3. This agreement is subject to German law. Exclusive jurisdiction is hamburg.

Appendix 1.1 - Description of data / data categories

Client data: First name, surname, e-mail address, postal address, telephone number, fax number, Skype data, bank details, PayPal data, tax number, order data, IP address, time of visit, duration of visit
Visitor data: IP address, time of visit, consent information, browser string, referrer, country

Appendix 1.2 - Description of the affected / affected groups

Client, Website Visitor (third party)

Appendix 1.3 - Technical and organizational measures of consentmanager

Our .

Appendix 1.4 - Authorized Persons

The authorized persons of the client are to be named by the client within the CMP account settings (account owner). The recipients of the directive at consentmanager are the managing directors of consentmanager and the contact person assigned (account manager) to the client.

Appendix 1.5 – Subcontractors

consentmanager AB, Haltegelvägen 1b, 72348 Västeras, Sweden (Service provider)
Plusserver GmbH, Hohenzollernring 72, 50672 Cologne, Germany (Datacenter)
DataCamp Ltd, 207 Regent Street, London, UK (CDN)