Terms and Conditions

The following General Conditions of Business regulate the contractual relationships between QRCode Monkey GmbH, Weinbergstraße 64, 01129 Dresden (hereafter “QRCode Studio”, “we” or “us”) and the users and contractual parties (hereafter “Customer” or “you”, each ) as well as the associated agreements between the parties. QRCode Studio and Customer are individually referred to herein as a “Party”, and collectively as the “Parties”.
Additional identification and the details registered in the commercial register of business names and corporate entities as well as the name of an authorized person responsible for the business of QRCode Studio, can be obtained from the disclaimer on the QRCode Studio website.
Please read through the following General Conditions of Business (hereinafter referred to as the ʻGCBs’) carefully.

Art. 1 Subject matter of the user agreements and generalities

1) The QRCode Studio website is a tool to create and manage QR codes. The services provided on the website enable companies and marketers to create custom QR code campaigns, organize them and track their success.

2) QRCode Studio provides an user-friendly content management system to edit and create QR codes.

3) QRCode Studio operates as a ‘self-service solution’ whereby the content of the QR codes are created and serviced completely, or to a great extent, by the user him-, her-, or it -self.

4) The description of the services of QRCode Studio, shown in the ‘description of services‘, are solely legally binding for the services provided, apart from these present GCBs. And, these can, under circumstances be concretized by additional indications in the agreements and in the invoices.

5) The contractual parties of QRCode Studio are consumers within the meaning of Art. 13 of the German Federal ‘BGB – Buergerliches Gesetzbuch’ (Civil Law Code). and (retail) traders within the meaning of Art. 14 of the German Federal ‘BGB. A trader is a natural or legal person or a legally incorporated partnership, which all act in the concluding of agreements in the exercise of their trading activities or of their independent occupational activities. The contractual parties are obliged to inform QRCode Studio upon the conclusion of an agreement with it, to give notice when they are registered traders. Otherwise, QRCode Studio must assume that they are consumers.

Art. 2 The conclusion of an agreement and further services

1) The user agreements are contracted upon the registration of the contractual party on the website of QRCode Studio. The chargeable use is contracted when the contractual party subscribes for a ‘Starter’/‘Regular’/‘Premium’ subscription plan. Once the Customer registers, they obtain access to the ‘CMS – Content Management System’ and can create and edit QR codes within the initial trial period for a limited time. A ‘Starter’/‘Regular’/‘Premium’ subscription enables additional functions against payment and a defined quota for QR codes. These functions are indicated in the subscription procedure. Subscriptions are paid regularly to keep functions and QR code quota active. Dynamic QR codes will not work without an active subscription.

2) The subscription plans provided by QRCode Studio include the following options:

  • an initial trial period free-of-charge to test the platform for a limited amount of days.
  • a chargeable ‘Starter’/‘Regular’/‘Premium’ subscription plan for using certain features and for creating a certain amount of QR codes (available features and conditions are shown during the subscription procedure);

The detailed description of the subscription plans is shown during the subscription procedure as well as the specific user agreement.

3) Independent of the type of subscription plan selected by the Customer, the following stipulations are applicable, unless otherwise provided.

Art. 3 Right of withdrawal for Customers (from chargeable services)

Withdrawal instructions and withdrawal rights

Customers can withdraw from their agreements within fourteen (14) days without stating reasons. The time period for withdrawal is fourteen (14) days from the date of the conclusion of an agreement. To exercise the right of withdrawal, users or contractual parties must give a definite declaration of withdrawal to QRCode Studio by means of postal mail or email. To comply with the withdrawal time period, it is sufficient that the declaration of withdrawal is received by QRCode Studio before the expiry of the fourteen (14) days, addressed to:

QRCode Studio
Norbert Sroke
Weinbergstraße 64
01129 Dresden
Email: support@qrcode.studio

The consequences of a withdrawal

When a Customer withdraws from an agreement, QRCode Studio is obliged to refund all payments received from the Customer, to include the consignment charges (except the additional charges incurred for the selection of a form of consignment other than the originally selected more economic standard consignment), with immediate effect and at the latest within fourteen (14 days) from the date upon which the declaration of withdrawal is received at QRCode Studio. The refund will be made by the same method employed for the original payment transaction to QRCode Studio, unless otherwise agreed. But, in no case will charges be made on the Customer for making the refund.

Special Notice:

Unless the Customer specifically informs QRCode Studio appropriately, that they are not in agreement with this stipulation, the Customer hereby declares and agrees, that QRCode Studio may commence providing the previously agreed contractual service before the expiry of the withdrawal time period.

When the contractual services are commenced by QRCode Studio during the time period of withdrawal, then the Customer is to pay QRCode Studio an appropriate charge pro rate of the overall charge for the service provided from the date of the commencement of the service, up to date of the receipt of the declaration of withdrawal. This is, of course only applicable when the Customer has selected a chargeable service.

For any case of withdrawal the German version (Widerrufsbelehrung) below these GCBs shall govern. The English version of the right of withdrawal described above is solely for the purpose of understanding. In the event of any inconsistencies between the German version of the right of withdrawal and the English version, the German version shall prevail.

Art. 4 The contractual duty of the Customer

1) The liability for the QR codes or for the content transmitted and published through the QR codes of the Customer, is solely that of the Customer. They are obliged to uphold decency and the requirement of the objectiveness of the statute law. The Customer primarily binds themselves to the following:

  • to respect the rights of third parties;
  • not to disseminate illegal, defamatory or offensive content;
  • not to upload damaged or infected data or files;
  • not to disseminate any false or ambiguous information in the content;
  • not to give any false or ambiguous information in the registration;
  • to give a disclaimer of the user contractual party, so that the person can be identified who created and edited the content.

2) QRCode Studio has the right to erase all content of the Customer infringing the foregoing regulations, with immediate effect. The user is to keep QRCode Studio harmless from any claims of third parties concerning infringements of third-party rights perpetrated via the account or the access to the services of the relative user.

3) In addition, QRCode Studio hereby reserves the right to exclude the Customer from the employment of their QR codes, in the case of a foregoing infringement.

4) The Customer is responsible to test if the created QR codes are working correctly before using them for their intended purposes.

Art. 5 Changes in the GCBs and divergences from the services provided

1) QRCode Studio hereby reserves the right to change the GCBs without stating reasons, unless these are unreasonable for the Customer. In case of a change in the GCBs, users and contractual parties will be notified thereof in good time. The Customer accepts the newly changed GCBs, unless they complain within six (6) weeks. At the same time as the notification of the changes in the GCBs, the Customer will be instructed on the availability of withdrawal rights and the significance of the withdrawal time period.

2) Otherwise, changes in the GCBs by QRCode Studio will be made in the following cases:

  • the changes are solely for the benefit of the Customer;
  • the changes are mandatory for QRCode Studio, to bring the GCBs in line with applicable law and in particular with alterations in statutory requirements;
  • the changes are a consequence of a court order on QRCode Studio or a decision of the authorities;
  • the changes are necessary because of the introduction of new content or elements in the services, unless the changes involve disadvantages to the Customer in comparison with the original conditions.

In such cases, a notification will be issued to the Customer of the intended changes in the GCBs.

3) QRCode Studio hereby reserves the right to diverge from the services provided, unless such is unreasonable for the Customer. Divergences will be introduced in the following cases:

  • to close any existing security loopholes;
  • to address any existing or altered statutory requirements or to comply with an order of the court.

4) No divergences from the services provided in the foregoing sense will represent changes in the graphic form or any restructuring of the functions.

Art. 6 Invoicing, settlement and terms and conditions of payment

1) The Customer can pay invoices by means of the settlement procedure provided by QRCode Studio. When an amount due cannot be collected and/or settled, then the Customer is to bear all the charges incurred by QRCode Studio, in particular bank charges in connection with the refund of direct debits and similar charges to the extent of the responsibility of the Customer for the circumstances involved.

2) QRCode Studio is entitled hereunder to transmit invoices and payment reminders solely by electronic means.

3) The charge for the subscription plans is payable for the total definite time period with immediate effect.

4) QRCode Studio hereby reserves the right, to increase the charge for the subscription plans appropriately, at the commencement of any new extended contractual time period, subsequent to the minimum user time period or to the current extension time period. An increase in charge will be made only once during any one contractual time period. In such a case, QRCode Studio will notify the Customer appropriately at least six (6) weeks before the end of the minimum user time period and/or the current extension time period. When a Customer wishes to contradict, they can do so within four (4) weeks by postal mail or by email. Such a contradiction is tantamount to a notice to terminate the agreement for the subscription plans by the Customer, so that the agreement terminates as of the expiry date of the existing minimum user time period, or of the current extended extension contractual time period.

5) In cases of settlement by direct debit, QRCode Studio will require the name of the bank and the postal address of the Customer, as well as his-, her-, its approval to settle by direct debit. In cases of settlement by credit card, QRCode Studio will require the postal address as well as the approval of the Customer. The relative charges are to be borne by the Customer.

Art. 7 Duration and termination of the agreements

1) An account will be opened for the creation of QR codes with an initial trial period. The trial period offers limited features for testing QRCode Studio for a defined duration. After the end of the trial period all features and QR codes will be disabled. To activate or enable additional features after the trial period a subscription concretized by the plans provided by QRCode Studio is needed. The contracting of the agreement will require no particular termination of the original agreement. The duration of a subscription plan continues together with the existence of the account until the Customer unsubscribes or cancels the current subscription.

2) Independent of the plan selected by the Customer, both the Customer and QRCode Studio are entitled to give notice to terminate the agreement, without observing a time period of notice, extraordinarily at all times on material grounds. A material ground for an extraordinary and immediate termination of an agreement is, when the continuation of an agreement is unreasonable for the party giving notice, up to the expiry of the statutory time period of notice to terminate, under consideration of all circumstances of individual cases and the interests of both parties.

3) Material grounds for QRCode Studio in particular would be the following circumstances:

  • failure to observe statutory requirements by the Customer;
  • infringements by the Customer of their contractual duties;
  • the Customer exploits the QR codes for associations or communities, which are under the scrutiny of the security authorities or the authorities for the protection of juveniles;
  • the Customer is a member of a sect or controversial religious denomination in Germany.

Art. 8 Stipulations concerning the content of third parties

1) When QRCode Studio employs services or content from third-party providers, in particular interfaces, graphics and/or texts, their exploitation is only from free sources or subject to appropriate licensing.

2) QRCode Studio can adopt no liability for the content, data and information made available, employed and posted by the Customer. This also applies to proposals made by QRCode Studio and adopted by the Customer. No verification of the legal position will be undertaken by QRCode Studio and such is a matter for the Customer.

3) In case of the occurrence of material grounds for giving notice to terminate an agreement under Art. 7, Section 4, QRCode Studio can impose the following sanctions, independent of the notice to terminate:

  • the erasure of content, which the Customer has introduced;
  • deactivation of the access to the services of the QRCode Studio website or to individual applications; or
  • the issuing of a caution.

4) Otherwise, QRCode Studio hereby refers to liabilities for the content of the Customer on the ‘Disclaimer’ of QRCode Studio, which is viewable via the link.

Art. 9 Liabilities and limitations of liability

1) QRCode Studio is liable without limitation for premeditative and gross negligent infringements of contractual duties and statutory duties, perpetrated by QRCode Studio, its legal representatives or vicarious agents involving death or injury to persons or encroachments upon their health, as well as loss or damage to property.

2) The following are also applicable hereto notwithstanding the stipulations of Art. 9, Section 1:

  1. QRCode Studio will make every effort to ensure access to the website of the Customer, and the availability of the app, twenty-four (24) hours a day and seven (7) days a week. There is no claim to the services of QRCode Studio in cases of non-culpable breakdowns or restrictions of the use, e.g. disruptions in the internet, or ‘Act of God’ (force majeure), or to indemnities for loss or damage or diminution. The same applies for temporary encroachments caused by necessary updates for the QR codes, or servicing- and maintenance -routines on the website. In addition, no warranty, guarantee or liability can be adopted for the QR codes being capable of display and fully functional on all mobile terminal equipment (e.g. by erroneous browser settings).
  2. QRCode Studio is only liable for gross negligence when QRCode Studio infringes essential contractual duties, i.e. those duties whose explanation actually enables the execution of the contractual agreement, and compliance with which, the Customer can regularly expect (so-called ‘cardinal contractual duties’). The liability of QRCode Studio is limited to the type of loss or damage foreseeable at the date of the contracting of the agreement and/or to the typical loss or damage foreseeable at the point in time of the infringement.
  3. The regulations of Art. 9 include all contractual and statutory claims, which may result from these GCBs of use and from the use of the services provided by QRCode Studio. Otherwise, any other liability of QRCode Studio is excluded hereunder. This applies in particular to loss of data or loss or damage to the terminal equipment of the Customer by the non-premeditated behaviour of QRCode Studio.

Art. 10 Data protection and advertising

1) The collection and use of personally identifiable data as well as private postal addresses and locations may only be made with the approval of the Customer, or in so far as is permitted by the statute law.

2) The self-developed content made available by QRCode Studio as well as their design, are copyright protected. All rights are hereby reserved by QRCode Studio. The copying, reproduction and dissemination of all texts, graphics, video- and sound –sequences and other content are only permitted with the permission of QRCode Studio.

3) QRCode Studio exploits raised data for the expansion of statistics on user behaviour, which however reveal no identification whatsoever. All such evaluations are held anonymously and are not personally referred.

4) QRCode Studio acts according to the general data protection statutory requirements enshrined in the German Federal ‘BDSG – Datenschutzgesetz’ (Data Protection Legislation and in the ‘TMG – Telemediengesetz’ (Telemedia Legislation), for the individual use of information- and communication –services to the public at large, in text, sound and image. Under the ‘BDSG’-Data Protection Legislation, QRCode Studio acts on the principles of data-reduction, data-economy, data-transparency and data-security. The data raised and exploited by QRCode Studio, and also by its contractors, are only employed for the necessary execution of the agreements concluded with the users and contractual parties, and for the servicing of the contractual relationship thereunder, as permitted under statutory requirements, and when required by either of the parties.

5) The Customer hereby declares and agrees, that the user data may also be exploited by QRCode Studio for purposes of advertising, market research or for the required design of telemedia, and for the creation of user profiles in anonymous form. The possibility exists at all times to contradict the exploitation of the user data. Under no circumstances are user profiles brought together in conjunction with the relative personally referred data. The introduction of advertising is conducted under consideration of the statutory requirements of Art. 4a of the ‘BDSG’-Data Protection Legislation, Art. 12 et seq. of the ‘TMG’-Telemedia Legislation and Art. 7, II of the German Federal ‘UWG – Unlauterer Wettbewerbs-Gesetz’ (Legislation governing unfair competition).

6) Should the Customer require information on their raised personally referred data, or the erase of the same, the sending of an email message to: support@qrcode.studio is sufficient.

7) The data protection rights of the Customer are otherwise published in the Privacy Policy of QRCode Studio, which can be viewed by clicking on the link.

8) To the extent QRCode Studio processes personal data protected by Data Protection Laws as a processor on your behalf, you and QRCode Studio shall be subject to and comply with the Data Processing Addendum ("DPA"), which is set out in Appendix 1. The DPA is incorporated into and forms an integral part of this Agreement.

Art. 11 Final stipulations

1) QRCode Studio is entitled to assign its contractual rights and duties in whole or in part to third parties. In such a case, the Customer will be given specific notice thereof.

2) The place of the corporate domicile (registered office) of QRCode Studio is Dresden, Germany.

3) The place of fulfilment for the contractual duties is the place of the corporate domicile (registered office) of QRCode Studio.

4) The place of jurisdiction for all disputes concerning the content and extent of the agreement, is the place of the corporate domicile (registered office) of QRCode Studio. The place of jurisdiction is not applicable for consumers, but only when the Customer is a registered trader, a legal person under the public law, or a holder of special assets under the public law.

5) The body of law of the Federal Republic of Germany is applicable, to the exclusion of the United Nations Convention of Contracts for the International Sale of Goods.

6) Should any one stipulation of these present GCBs be or become ineffective, or be altered because of individual contractual arrangements, then such is not to affect the validity and effectiveness of the remaining stipulations of the GCBs, unless any insistence on the terms and conditions of the agreement involves hardship for a contractual party.

(Version: December 2021)



Sie haben das Recht, binnen vierzehn Tagen ohne Angaben von Gründen diesen Vertrag zu widerrufen. Die Widerrufsfrist beträgt vierzehn Tage ab dem Tag des Vertragsschlusses. Um Ihr Widerrufsrecht auszuüben, müssen Sie uns - QRCode Monkey GmbH, Weinbergstraße 64, 01129 Dresden, support@qrcode.studio - mittels einer eindeutigen Erklärung (z.B. ein mit der Post versandter Brief oder E-Mail) über Ihren Entschluss, diesen Vertrag zu widerrufen, informieren. Sie können dafür das beigefügte Muster-Widerrufsformular verwenden, das jedoch nicht vorgeschrieben ist. Sie können das Muster-Widerrufsformular oder eine andere eindeutige Erklärung auch auf unserer Webseite https://qrcode.studio elektronisch ausfüllen und übermitteln. Machen Sie von dieser Möglichkeit Gebrauch, so werden wir Ihnen unverzüglich (z.B. per E-Mail) eine Bestätigung über den Eingang eines solchen Widerrufs übermitteln. Zur Wahrung der Widerrufsfrist reicht es aus, dass Sie die Mitteilung über die Ausübung des Widerrufsrechts vor Ablauf der Widerrufsfrist absenden.

Folgen des Widerrufs

Wenn Sie diesen Vertrag widerrufen, haben wir Ihnen alle Zahlungen, die wir von Ihnen erhalten haben, einschließlich der Lieferkosten (mit Ausnahme der zusätzlichen Kosten, die sich daraus ergeben, dass Sie eine andere Art der Lieferung als die von uns angebotene, günstige Standardlieferung gewählt haben), unverzüglich und spätestens binnen vierzehn Tagen ab dem Tag zurückzuzahlen, an dem die Mitteilung über Ihren Widerruf dieses Vertrages bei uns eingegangen ist. Für diese Rückzahlung verwenden wir dasselbe Zahlungsmittel, das Sie bei der ursprünglichen Transaktion eingesetzt haben, es sei denn, mit Ihnen wurde ausdrücklich etwas anderes vereinbart; in keinem Fall werden Ihnen wegen dieser Rückzahlung Entgelte berechnet.


Wenn Sie den Vertrag widerrufen wollen, dann füllen Sie bitte dieses Formular aus und senden Sie es zurück.

QRCode Monkey GmbH
Weinbergstraße 64
01129 Dresden

Hiermit widerrufe(n) ich/wir (*) den von mir/uns (*) abgeschlossenen Vertrag über den Kauf der folgenden Waren (*)/ die Erbringung der folgenden Dienstleistung (*)

Bestellt am (*)/erhalten am (*)
Name des/der Verbraucher(s)
Anschrift des/der Verbraucher(s)
Unterschrift des/der Verbraucher(s) (nur bei Mitteilung auf Papier)

(*) Unzutreffendes streichen

Hinweis zum vorzeitigen Erlöschen des Widerrufs

Wir weisen darauf hin, dass bei Verträgen über die Lieferung von nicht auf einem körperlichen Datenträger befindlichen Daten, die in digitaler Form hergestellt und bereitgestellt werden (digitale Inhalte) Ihr Widerrufsrecht vorzeitig erlischt, wenn Sie ausdrücklich zugestimmt haben, dass QRCode Studio mit der Ausführung des Vertrags vor Ablauf der Widerrufsfrist beginnt, und Ihre Kenntnis davon bestätigt haben, dass Sie durch Ihre Zustimmung mit Beginn der Ausführung des Vertrags Ihr Widerrufsrecht verlieren.

- Ende der Widerrufsbelehrung -

Appendix 1 - Data Processing Agreement


This Agreement on the Processing of Personal Data within the meaning of Article 38 (3) EU-Regulation 2016/679 (“GDPR”) (following this (“Agreement” or “DPA”) forms an integral part of the Terms & Conditions the Parties agreed on (following “Main Agreement”). Capitalized words shall have the meaning as set forth in the Main Agreement unless defined otherwise in this Agreement.

Customer shall be the person responsible within the meaning of Art. 4 no. 7 GDPR (hereinafter referred to also as “Controller”) and QRCode Studio shall be the processor within the meaning of Article 4 no. 8 GDPR (hereinafter referred to also as “Processor” or “QRCode Studio”; individually referred to as “Party”, collectively referred to as “Parties”).

The Controller (responsible for the processing) and the Processor conclude the following contract for data processing pursuant to Art. 28 GDPR. Based on the contractual relationship existing between the Parties, QRCode Studio processes personal data for the Controller. The resulting data protection rights and obligations of the Parties are specified in this Data Processing Agreement. The annexes to this contract are an integral part of the agreement. The provisions made must apply to all services which the processor provides for the Controller and all associated activities which result in and may result in the processing of personal data.

That being said, the Parties agree as follows.

§ 1 | Subject and Duration of Data processing

1Processor is providing a service to create QR Codes for Controller. This service is an all-in-one QR Code marketing platform. 2Within the platform of the Processor, QR Codes can be created, designed, managed, and tracked for mobile campaigns. 3The scope of data processing is the provision of web-based software for QR code campaigns . 4Further Details of the subject matter and the duration of the processing are defined in the Main Agreement between the Parties, which is based on the Client’s General Conditions of Business. 5The precise functionality of the software and hence the service may change over time and may also be dependent on the specific performance agreed between the Parties. 6This contract is legally dependent and shares the legal fate of the Main Agreement. 7A termination of the Main Agreement automatically causes a termination of this Agreement. 8The Parties are aware that no (further) data processing may be carried out without the existence of a valid data processing agreement. 9An isolated orderly termination of this Agreement is excluded.

§ 2| Specification of the Data Processing
(1) Type(s) and purpose(s) of Data Processing

1The processing of personal data is not to be qualified as the main object or purpose, but rather as a reflexive, unavoidable side effect of the provision of services by the Processor. 2Notwithstanding the above, it is not excluded that the Processor processes personal data within the meaning of Art. 4 No. 2 GDPR in order to be able to create the QR Codes and generate marketing campaigns. 3Overall, the data processing fulfills the following purposes:

  • Generation of QR Codes, based on the entered data (the entered data can be considered personal data),
  • Caching of the entered data for performance reasons,
  • Long-term (no longer than until the end of the Performance Agreement) storage of the data saved by the Client for easier reusability by the client,
  • Publication on websites and hosting of such websites,
  • Integration of social media plugins on these websites,
  • Tracking by means of the generated QR Codes and
  • Maintenance and troubleshooting (it is not possible that the Controller or the Controller’s Employees will be granted access to this personal data during this process. However, the processing of the data concerned is not the purpose of this activity and is performed only to the extent necessary to carry out maintenance and troubleshooting).

3In particular, the processing includes the collection, recording, organization, storage, reading out, use, disclosure by transmission, dissemination, or any other form of provisioning, reconciliation, deletion or erasure.

(3) Place of Processing

1The provision of the contractually agreed data processing generally takes place in a Member State of the European Union (EU) or in another Contracting State to the Agreement on the European Economic Area (EEA). 2The Processor is nonetheless permitted to process personal data outside the EEA in compliance with the provisions of this contract if he informs the Controller in advance of the place of data processing and if the requirements of Art. 44 et seq. GDPR are met.

(4) Type(s) of data

The subject of the processing of personal data are the following data types / categories:

  • People Master Data (Key Personal Data)
  • Contact / Communication Data (e.g., telephone, email)
  • Tracking data
  • Usage data
  • Geo-data (transmitted by IP location finding)
(5) Categories of Data Subjects

1The categories of persons affected by processing include:

  • Controller’s customers and employees;
  • Prospects, including persons that scan/click on the Controller’s QR codes or short URLs that are created using the Processor’s platform.

2As the Processor provides the Controller with a web-based platform, the type(s) of data processed, and the categories of data subjects depend on the data entered by the Controller. 3The Controller shall ensure that the data entered has been lawfully collected and may be processed by the Processor.

§ 3 | Technical and Organizational Measures

(1) 1The Processor must document the implementation of the Technical and Organizational Measures set out prior to the award of the contract and prior to the start of processing, in particular regarding the specific execution of the Processor, and hand them over to the Controller for review. 2The Controller hereby accepts the Technical and Organizational Measures set out in Annex 1 to this Agreement. 3The documented measures become the basis of the contract. 4If an inspection or audit of the Processor proves a need for adjustment, it shall be implemented in accordance with this Agreement.

(2) 1The Processor shall establish the security in accordance with Art. 28 (3) lit. c and lit. e and Art. 32 GDPR, in particular in conjunction with Art. 5 (1) and (2) GDPR. 2The actions to be taken are data security measures and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems and services. 3Thereby, the state of the art, the implementation costs and the nature, scope and purpose of the processing as well as the different probability and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be considered [details in Annex 1].

(3) 1The Technical and Organizational Measures are subject to technical progress and further development. 2In that regard, the Processor is allowed to implement alternative and adequate measures. 3In doing so, the security level of the specified measures must not be reduced. 4Substantial changes are to be documented.

§ 4 | Quality Assurance and other Obligations of the Processor pursuant Art. 28 (3) (1) GDPR

In addition to complying with the provisions of this Agreement, the Processor has his own statutory obligations of a processor; in particular, he ensures compliance with the following requirements:

  1. 1To the extent required by law, the Processor appoints a competent and reliable person as data protection officer, who carries out his activity in accordance with Art. 39, 38 GDPR. 2The contact details of the named data protection officer are shared with the Controller for the purpose of direct contact. 3If the Processor is not obliged to appoint a data protection officer, he appoints a contact person for data protection matters, whose contact details are communicated to the Controller for the purpose of direct contact. All changes in the person of the data protection officer or the contact person must be reported to the Controller without delay.
  2. In accordance with Art. 28 (3) (2) lit. b GDPR the Processor shall procure that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory secrecy obligation and have been previously familiarized with the data protection regulations relevant to them.
  3. The Processor and any person subordinate to the Processor who has access to personal data may process this data exclusively in accordance with the instructions (Art. 29, 32 (4) GDPR) of the Controller, including the powers granted in this Agreement unless they are required by law to process.
  4. The Processor guarantees the implementation and compliance with all Technical and Organizational Measures required for this Agreement in accordance with Art. 28 (3) (2) lit. c, Art. 32 DSGVO [details in Annex 1].
  5. The Controller and the Processor (and their representative if necessary) work together with the supervisory authority on request to fulfill their duties (Art. 31 GDPR).
  6. 1The Processor undertakes to inform the Controller without undue delay of any supervisory acts and measures which are pertinent to the processing insofar as they relate to this Agreement. 2This also applies if a competent authority investigates the processing of personal data by the Processor in the context of an administrative offense or criminal proceedings.
  7. Insofar as the Controller himself is subject to inspection by the supervisory authority, an administrative offense or criminal procedure, the liability claims of a data subject or a third party or any other claim in connection with the processing by the Processor, the Processor shall use his best efforts to support the Controller.
  8. The Processor shall regularly review his internal processes and Technical and Organizational Measures to ensure that the processing within his area of responsibility complies with the requirements of applicable data protection law and that the protection of the data subject's rights is ensured.
  9. The Processor guarantees the verifiability of the Technical and Organizational Measures taken towards the Controller within the scope of his control powers pursuant to § 6 of this Agreement.
§ 5 | Conditions for Subcontracting pursuant to Art. 28 (3) (2) lit. d GDPR in conjunction with Art. 28 (2) and (4) GDPR

(1) 1Subcontracting means services directly related to the provision of the main service. 2Not as subcontracting, however, such services are to be regarded as those which the Processor claims from third parties as a mere ancillary service in order to carry out the business activity. 3These include, for example, cleaning services, pure telecommunication services without specific reference to services rendered by the Processor to the Controller, postal and courier services, transport services or security services. 4However, the Processor is obliged to ensure, even with ancillary services provided by third parties, that reasonable precautions and technical and organizational measures have been taken to ensure the protection of personal data. 5The maintenance and servicing of IT systems or applications constitutes a subcontracting agreement subject to approval and data processing within the meaning of Art. 28 GDPR, if the maintenance and testing concerns systems that are also used in connection with the provision of services for the Controller and in the maintenance of personal data that can be accessed on behalf of the Controller.

(2) In accordance with the provisions of Art. 28 (1) (1) GDPR, the Processor will not use any other processor (sub-processor, sub-subprocessor) without prior separate or general written authorization by the Controller whereby all subcontracting provisions shall accordingly apply both to the sub-processor and to any subsequent (sub-) subprocessor subsequently used.

(3) Any existing or planned subcontracting by the Processor is listed in Annex 2 to this Agreement. 2The Processor concludes these agreements in accordance with Art. 28 (2) and (4) GDPR if no such contract has already been concluded.

(4) 1The Controller hereby authorizes in general terms the use of additional processors (sub-processors) by the Processor. 2The Processor will inform the Controller of any intended changes in relation to the removal or replacement of other processors. In each individual case, the Controller has the right to object in writing or in text form to the procurement of a potential additional processor. 4An objection may only be raised by the Controller for important reasons to be proven to the Processor. 5If the Controller does not object within 14 days after receipt of the notification, he shall have forfeited his right of objection to the corresponding assignment. 6If the Controller refuses consent for other than important reasons, the Processor may terminate this Agreement as well as the Main Agreement at the time of the intended use of the subcontractor.

(5) 1The transfer of personal data of the Controller to the sub-processors and its initial action shall only be permitted upon fulfillment of all conditions for sub-processing. 2The Processor shall contractually ensure that the provisions agreed between the Controller and the Processor also apply to sub-processors. 3The contract with the sub-processors shall specify the details in a sufficiently specific manner to clearly separate the responsibilities of the Processor and the sub-processors. Where several sub-processors are used, this shall also apply to the responsibilities between those sub-processors. 4In particular, it is the Processor's responsibility to transfer his data protection obligations under this contract to the other processor in accordance with Art. 28 (4) (1) GDPR.

(6) 1If the sub-processor provides the agreed service outside the EU / EEA, the Processor shall ensure that the compliance with data protection law is fulfilled through appropriate measures. 2The same applies if service providers within the meaning of paragraph 1 sentence 2 are to be used.

§ 6 | Control Rights of the Controller in accordance with. Art. 28 (3) (2) lit. h GDPR

(1) 1The Controller has the right to carry out inspections in consultation with the Processor or to have them carried out by auditors to be appointed in individual cases who are not allowed to compete with the Processor. 2The Controller has the right to verify the compliance of the Processor with this Agreement in his business through sampling checks. 3Checks and inspections may only be carried out in accordance with the Processor. 4They must be announced at least four weeks in advance, may only be carried out during normal business hours and may not disrupt business operations. 5Checks and inspections may not be carried out more often than once a year. 6Costs and expenses resulting from this for the Processor shall be borne by the Controller, which are usually timely to be announced in advance.

(2) 1The Processor shall ensure that the Controller can satisfy himself of the compliance with the obligations of the Processor in accordance with Art. 28 GDPR. 2The Processor undertakes to provide the Controller with the necessary information upon request and in particular to prove the implementation of the Technical and Organizational Measures.

(3) 1The proof of such measures, which do not concern only the concrete processing, can be carried out by compliance with approved codes of conduct pursuant to Art. 40 GDPR; the certification according to an approved certification procedure according to Art. 42 GDPR current certificates, reports or reports extracts of independent bodies (e.g., auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors) and / or appropriate certification through an IT security or data protection audit [e.g., according to the Federal Office for Security in Information Technology (BSI Grundschutz)].

§ 7 | Support and Notification Obligations of the Processor pursuant to Art. 28 (3) (2) lit. e and f GDPR

(1) 1The Controller is responsible for safeguarding the rights of the data subjects. 2In this context, the Processor is nonetheless obligated, depending on the type of processing, to support the Controller – to the extent possible and adequate - with suitable technical and organizational measures to fulfill the Controller’s obligations with regard to the rights of the data subjects referred to in Chapter III of the GDPR, that is to say, when responding to data subjects' inquiries concerning the Controller’s information obligations to the persons concerned, their right of access, their right of rectification, erasure, restriction of processing, data portability and related communication obligations of the Controller, the right to object to automated decisions, including profiling, if the data subject asserts any such rights. 3If the data subject complains at the Processor in order to assert a right, the latter forwards the inquiries to the Controller without undue delay.

(2) 1The Processor shall also assist the Controller, taking into account the nature of the processing of the contract and the information available to the Processor, in compliance with the obligations set out in Articles 32 to 36 GDPR, i.e. in the performance of the Controller’s legal obligations on data security, reporting of data breaches to supervisory authorities and the persons concerned, to carry out data protection impact assessments, and to prior consultation of the competent authority, if required by the data protection impact assessment. 2The Processor and the Controller cooperate in response to inquiries from the relevant supervisory authorities in the performance of their duties.

§ 8 | Authority of the Controller

(1) 1The Processor shall process personal data only in accordance with the agreements made and following the instructions of the Controller unless he is obliged to process otherwise by the law of the Union or of the Member States to which the Processor is subject (Art. 28 (3) (3) lit. a, Art. 29 GDPR). 2In the event of such an obligation, the Processor shall inform the Controller of these legal requirements prior to processing, unless the law prohibits such notification on grounds of a prevailing public interest.

(2) 1The Processor warrants that the processing will be carried out in accordance with the instructions of the Controller. 2If the Processor is of the opinion that an instruction of the Controller violates this Agreement or applicable data protection law, he must inform the Controller immediately. 3Following a corresponding notification to the Controller, the Processor is entitled to suspend the execution of the instruction until the Controller confirms or changes the instruction. 4The Parties agree that the sole responsibility for the processing according to instructions lies with the Controller.

(3) 1The Controller's instructions are always in written or text form. If necessary, the Processor can also give verbal instructions (remotely). Remote verbally issued instructions are to be confirmed by the Controller immediately in written or text form.

§ 9 | Erasure and Return of Personal Data pursuant to Art. 28 (3) (2) lit. g GDPR

(1) 1Copies or duplicates of the data are not made without the knowledge of the Controller. 2Excluded from this are backup copies, to the extent necessary to ensure proper data processing, as well as data copies required regarding compliance with statutory retention requirements.

(2) 1After the conclusion of the contractually agreed work or sooner upon request by the Controller - at the latest upon termination of the Main Agreement - the Processor has all documents, processing and utilization results as well as data, which are related to the contractual relationship to hand over to the Controller or to destroy it after prior consent in accordance with data protection law. 2The same applies to test and reject materials. 3The log of the deletion must be submitted on request.

(3) 1Documentation serving as proof of orderly and proper data processing shall be kept by the Processor according to the respective retention periods beyond the end of this Agreement. 2He may hand them over to the Controller for his discharge at the end of this Agreement.

§ 10 | Miscellaneous

(1) 1Both Parties are obligated to treat confidentially all knowledge of trade secrets and data security measures of the respective other party obtained in the contractual relationship as well as for the time after the termination of this Agreement. 2If there is any doubt as to whether any information is subject to the obligation of secrecy, it shall be treated as confidential pending the written approval of the other party.

(2) If the Processor's property is endangered by measures taken by third parties (such as seizure or confiscation), insolvency or settlement proceedings or other events, the Processor must immediately inform the Controller.

(3) For additional Agreements, the written form is required. This equally applies to the lack of this formal requirement.

(4) The objection of the right of retention, irrespective of the legal grounds, shall be excluded with regard to the data processed in context with this DPA and regarding relevant data carriers.

(5) This DPA shall also apply if and insofar as authorities or courts deviate mutatis mutandis from a joint responsibility of the contracting parties pursuant to Art. 26 GDPR.

(6) 1Should individual provisions of this DPA be wholly or partially invalid or unenforceable or become ineffective or unenforceable because of changes in the legislation after conclusion of the DPA, its remaining provisions and the validity of the DPA as a whole shall remain unaffected thereby. 2The invalid or unenforceable provision shall be replaced by an effective and enforceable provision which comes as close as possible to the purpose of the invalid provision. 3If the DPA should prove to be incomplete, such provisions shall be deemed to have been agreed which correspond to the purpose of the DPA and would have been agreed upon in the case of consideration.

(7) The Processor may demand appropriate remuneration, to be agreed in advance with the Controller in each individual case, for additional expenditure incurred as a result of his support services in connection with additional services which are not included in the service description or which go beyond the statutory obligations of the Processor or are not attributable to misconduct on the part of the Processor.

(8) 1The DPA is exclusively subject to the laws of the Federal Republic of Germany to the exclusion of its international laws of conflict.

(9) The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement is the registered office of the Processor.

(10) In the event of any conflict or inconsistency between the Main Agreement or other Agreements between the Parties and this Data Processing Agreement regarding the subject matter of this DPA the following rule of precedence shall apply to the extent possible by applicable law:

  1. This Data Processing Agreement
  2. The Main Agreement
  3. Other Agreements between the Parties
Annex 1 – technical and organizational measures

Taking into account the

  • state of the art,
  • the costs of implementation,
  • the nature, scope and circumstances,
  • the purposes of the processing and
  • the varying likelihood and severity of the risk to the rights and freedoms of natural persons

the Processor shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

In assessing the adequate level of protection, particular account shall be taken of the risks inherent in the processing, in particular from destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful.

The Processor shall take the following measures:

1. Physical access control
  • Entrances are secured by a locking system
  • Key allocation and withdrawal to office space is documented by the management
  • Withdrawal of means of access after expiry of the authorization
  • Visitors and external personnel shall only be granted access if accompanied by personnel of the Contractor or the computer centre.
  • Electronic access control system with logging to data centres
  • High security fence around data centers
  • 24/7 staffing of the data centers
  • Video surveillance at the entrances and exits, security gates and server rooms of the data centers
  • No on premise servers
2. Data access control
  • Access protection by username and password or public key procedure
  • Access to server systems via encrypted connection
  • Documentation of user accesses
  • The circle of authorised persons is limited to the minimum necessary for operation.
  • Approval of user access by management
  • Access authorizations are assigned by a responsible person.
  • Passwords are stored encrypted
  • Authorizations no longer required are withdrawn promptly
  • Authorizations are revoked if employees are transferred or leave the company.
  • No group passwords to access Client data
  • Guidelines for passwords (structure, minimum length, uniqueness) and their storage
  • Administrators and management have no knowledge of personal passwords of employees
  • End devices are locked with password protection in case of work interruption
  • Encryption on mobile devices and mobile data carriers
3. Data usage control
  • An authorization concept exists for the systems.
  • Access authorizations are approved by management
  • Each authorized user can only access the data that he or she absolutely needs to carry out his or her transferred function.
  • Access to applications is logged, in particular during the entry, modification and deletion of business-relevant data.
4. Data volume control
  • Hard disks of no longer used servers in the data center are overwritten several times for safe deletion
  • Defective hard disks that cannot be safely deleted are destroyed in the data center.
5. Separation control
  • Development, test and production systems are isolated from each other
  • A software-based authorization concept separates the data of the Client from data of other Clients (Client separation).
6. Handover control
  • All employees are bound to data secrecy according to Art. 32 para. 4 GDPR.
  • The data storage and processing of the collected data takes place in computer centres within Germany.
  • The Contractor also cooperates with external service providers - the general terms and conditions and the data protection declaration apply.
  • As far as technically possible, data transmission is based on current encryption technologies (e.g. SSL, TLS).
  • Data with a high need for protection is stored in encrypted form
  • Emails with sensitive content can be exchanged encrypted if required (e.g. OpenPGP)
7. Input control
  • The data is entered or recorded by the Client himself.
  • Changes to the data are logged.
  • Entries by the Contractor shall only be made in accordance with the instructions of the Client.
8. Availability control
  • Daily data backups of the server systems are performed.
  • Daily, weekly and monthly retention periods for data backups
  • Data backups that are no longer required are deleted after half a year at the latest.
  • The performance and operability of the individual data backups is checked regularly.
  • Data backups are stored on physically separate systems in the data center
  • Storage systems with redundancy are used
  • Server systems are equipped with an uninterruptible power supply and mainsreplacement system.
  • Security updates are carried out regularly
  • The server systems are monitored.
  • DDoS protection for server systems
  • Software firewall and port regulations for server systems
  • Use of protection programs (e.g. virus scanner, software firewall, ...) on end devices
9.Server Security
  • All applications and databases hosted within AWS are protected with Hetzner Online GmbH security measures. Hetzner Online GmbH has certification for compliance with ISO/IEC 27001:2013.
10. Recoverability
  • For data center systems, an escalation chain is defined that specifies who is to be informed in the event of a fault in order to restore the system as quickly as possible.
11. Order control
  • Our employees are instructed in data protection law at regular intervals and are familiar with the procedural instructions and user guidelines for data processing on behalf of the Client, also with regard to the Client's right to issue instructions.
  • Contracts for order processing exist with all relevant subcontractors.
  • The Contractor has appointed a Data Protection Officer
  • In the event of breaches of data protection, information will be sent to the Client.
Annex 2 - Subprocessor

This sub-processor list identifies processors within the meaning of Art. 28 GDPR of QRCode Studio that provide services for QRCode Studio.

QRCode Studio currently cooperates with the following sub-processors for the performance of the Agreement. With signature of both Parties, the Controller accepts the involvement of the following processors (excluded from this are the processors under point II - II. Selectable sub-processors). The addition of the processors mentioned under II only takes place if the customer has explicitly consented to the processing by the sub-processors.

Name Address Service
Hetzner Online GmbH Industriestr. 25, 91710 Gunzenhausen, Deutschland Hosting