Data Protection and Confidentiality

1. General Provisions

The following conditions apply in addition to all agreements on cooperation between Bacher Systems EDV GmbH (hereinafter referred to as “Bacher Systems”) and its customers.

2. Data Protection

2.1. The extent to which Bacher Systems (in this context the “Processor”) accesses and processes the customer’s personal data (in this context the “Controller”) is solely determined by the Controller. Irrespective of this, the following data protection provisions apply even if the Processor has the technical capability to access such data.
2.2. DThrough this agreement, the Processor legally confirms that it has implemented all necessary technical and organizational measures in accordance with Article 32 of the GDPR to ensure an appropriate level of protection relative to the risk of the processing. These measures are described in the document “Technical and Organizational Measures of Bacher Systems EDV GmbH under the GDPR,” which will be provided upon request.
2.3. The Processor undertakes to process data and processing results solely within the scope of the service agreement with the Controller. Should the Processor receive an official order to disclose the Controller’s data, it shall — insofar as legally permitted — inform the Controller immediately and refer the authority to the Controller.
2.4. Where the Processor engages sub-processors in accordance with the provisions of this agreement, it guarantees to the Controller that these sub-processors are contractually bound by the same obligations as stipulated in this agreement or in other agreements between the Controller and the Processor.
2.5. The Processor shall establish the technical and organizational requirements necessary for the Controller to fulfill its obligations under data protection law — including the rights to information, access, rectification, erasure, restriction, and data portability, as well as all other obligations (in particular Articles 32 to 36 GDPR and the rights of data subjects under Chapter III GDPR). The Controller alone is responsible for fulfilling these obligations toward data subjects.
2.6. If the Processor becomes aware of a personal data breach, it shall notify the Controller without delay.
2.7. The Processor shall inform the Controller if it believes that any provision of this agreement or any instruction given by the Controller violates applicable data protection law.
2.8. The Processor shall provide the Controller with all necessary information to demonstrate compliance with the obligations set out in this agreement and shall allow for and contribute to audits — including inspections — conducted by the Controller or an auditor appointed by the Controller. If the costs of such audits exceed customary industry standards, the Controller shall bear the excess costs.
2.9. he Controller consents to all sub-processors used by the Processor at the time of entering into this agreement. In the event of service cases involving manufacturers, these manufacturers qualify as sub-processors under the GDPR. Any additional sub-processors beyond these manufacturers are listed on the Processor’s website at https://www.bacher.at/datenschutz. The Processor shall inform the Controller if a sub-processor is to be replaced or added. The Controller may object to the use of the new sub-processor with a justified reason. If no objection is made within 7 days of notification, the new sub-processor shall be deemed accepted.
2.10. The Processor assures that all persons entrusted with data processing have been bound to confidentiality before commencing their duties or are subject to an appropriate legal confidentiality obligation. This confidentiality obligation continues to apply even after the termination of their duties or departure from the Processor.
2.11. Unless otherwise agreed, the Processor undertakes to destroy all processing results and documents containing data after termination of this agreement, provided there are no legal, contractual, or legitimate interests opposing such destruction. If data return is agreed upon, the Processor shall return the data after termination of this agreement in the format in which it was received or in another commonly used format.
2.12. The Controller accepts that the Processor may provide its services via remote support. The remote session connection shall be initiated and authorized by the Controller in coordination with the Processor. The remote support session takes place under the supervision of the Controller. Personal data may be visible during the session, but it will not be copied or reproduced. The Processor typically uses its own application for remote support. If the Controller provides its own remote maintenance application, it shall assume responsibility for the data protection framework applicable to its use.
2.13. If it is necessary for the Controller to provide the Processor with personal data — for example, to resolve issues — such data shall be deleted immediately after completion of the task.

3. Confidentiality and Non-Disclosure

3.1. Both contractual parties are obliged to treat as confidential any information made accessible to them by the other party as a result of this contract, as well as any knowledge gained about the other party's business matters — including technical, commercial, or organizational aspects — during the course of their cooperation. This obligation applies during and after the term of this contract and prohibits disclosure or use of such information beyond the agreed purpose. In particular, the customer shall ensure that offers and contracts, including attachments, provided by Bacher Systems are not disclosed to third parties — in whole or in part, or in edited form — without prior written consent.
3.2. This obligation of confidentiality does not apply to information that:
a) is demonstrably lawfully obtained from third parties,
b) was already publicly known at the time of contract conclusion or became public knowledge thereafter without violating this agreement,
c) was independently developed by the party bound by confidentiality,
d) corresponds with third-party knowledge, ideas, or know-how that was lawfully disclosed and coincidentally overlaps with confidential information under this section.
3.3. Confidential information may be disclosed if required by law or by a binding order of public authorities. In such cases, the recipient shall notify the disclosing party without delay so that appropriate protective measures may be taken.
3.4. These confidentiality obligations shall remain in effect for both parties for a further five (5) years after the termination of this agreement.

(Version: March 2023)