Terms of Service and DPA

General Terms and Conditions for the Organization of an My Country Talks-Event

Download a .pdf version of this document here

My Country Talks

My Country Talks is an international platform, launched by ZEIT ONLINE in 2018, that aims to connect people with opposing views. The core of the project is a Software that enables Organisations to organise or partner in "My Country Talks" Events. With the help of a matching algorithm, the Software provides each participant with a discussion partner who thinks as differently as possible on a number of issues and introduces them for a one-on-one discussion.

By signing up to the My Country Talks software you agree to the following General Terms and Conditions (“GTC”).

1. Applicability of the General Terms and Conditions

The following General Terms and Conditions (“GTC”) apply to all agreements between the Good Conversations gGmbH and Organisations (“Partner” or “Partners”) that apply and register for an event under the “My Country Talks” platform. (“Event” or “MCT Event”). Regulations deviating from these terms and conditions, especially terms and conditions of customers, will not be accepted unless the Good Conversations gGmbH explicitly agrees in writing.

2. Conclusion of Contract

Any Partner can apply to organise an Event on the “My Country Talks” website www.mycountrytalks.com. This application represents an offer to conclude a cooperation agreement with

Good Conversations gGmbH

Speersort 1

20095 Hamburg

A contract is only concluded if and when the Good Conversations gGmbH expressly accepts the application and confirms the Partner’s registration.

After the completion of the registration the Good Conversations gGmbH provides the Partner with access to the “My Country Talks” Software (“Software”) and allows the Partner to host the Event as part of the “My Country Talks” Series in accordance with the provisions of these GTC. The Partner has the option to invite other Organisations (Co-Organizers) to co-host the Event and to create the Event. Co-Organizers have to complete the software registration process before they can partner in the Event.

Any application may be rejected without giving reasons. Any existing contract can be terminated according to the provisions of these GTC.

3. Code of Ethics

By applying for organising or partnering in an Event, the Partner confirms to comply with the Code of Ethics defined under this clause at all times. Furthermore, all event participants must be eighteen years of age or older.

a) General conduct - Anti-discrimination

Each Partner commits to uphold anti-discrimination, non-violent and non-offensive conduct in all aspects of the Event. The Partner will make sure that he and/or his participants will under no circumstances discriminate persons based on sex, age, race, ethnicity, nationality, disability, mental illness or ability, sexual orientation, gender, gender identity/expression, sex characteristics, religion or individual political opinions and that any other targeted, specific and harmful actions or communication that is carried out to make any participant feel threatened, on individual grounds or on the basis of a social or personal characteristics, will not be tolerated.

Questions and any Event content (such as marketing materials, press reports and other) should not violate any of the terms of general conduct.

b) Who we work with

Regardless of the owner of the event, all Partners must meet the following criteria to be approved by the MCT team. The following Organisations can be considered as a Partner of an MCT-Event:

Independent media organisations, excluding publications or other media groups which are created specifically for the purpose of promotion of one or more corporations, without an independent editorial body.
Non-profit organisations who are interested in reaching an audience or community that is independent from and not exclusively affiliated with the organisation. For instance restricting access exclusively to employees, party members, or members.
Other organisations that work with public interest, including ministries, local governments, or other municipal organisations, so long as their audience and goal are independent from their constituents, and not trying to promote any specific political aim.

We can reject any application without giving any reason. An existing contractual relationship can be terminated at any time for good cause. Good cause shall include, among other things, a violation of the Code of Ethics or can be based on the following grounds:

Evidence of non-independence or control by third party interest.
Restriction or exclusion of participants on the grounds of organisation membership, party affiliation and/or employment.
Evidence of any form of discrimination based on sex, gender, age, race, class or other social characteristics, incendiary or offensive behaviour, or inciting violence.

c) Data use

In order to ensure the trust of the participants in the Event and the My Country Talks Series as a whole, each Partner commits himself to not use the data of the participants for any other purpose than for the handling and organisation of the Event and the advertising of the event as well as for any subsequent reporting. The Partner commits in particular not to pass on the data to third or advertising partners.

The Partner commits to comply with the applicable data protection regulations, such as/especially the GDPR and to use any data collected only for project-relevant purposes. These are defined as: organising the Event, editorial reporting, screening participants, and all project-related marketing activities. The Partner commits to not share participant data with third parties, such as social media platforms, unless the Partners have the prior explicit consent of the participants.

If it is planned that the Partner and the Co-Organizers report on the Event, the reporting by the Partner or his Co-Organizers is the responsibility of themselves. Insofar as additional contact is made with participants or additional data processing is carried out for reporting purposes the Partner and his Co-Organizers will ensure that any data protection regulations are adhered to.

Good Conversations gGmbH occasionally works with academic researchers, for example from Harvard and Stanford Universities, to evaluate the statistical, anonymised data collected in the course of organising the events. In the instance that data with a personal reference is to be passed on, this is discussed with the partner beforehand and any necessary consent is obtained from the users.

4. Hosting an Event / Obligations of the Partner

a) Event guidelines

The Partner is responsible for organising the Event according to the requirements and standards of the My Country Talks Event Series lined out in the Code of Ethics.

For creating an Event it is necessary to specify and include various yes/no questions on current topics. In total, the questions should not exceed the number 10. The Partner must define the date of the Event and has to upload an adequate Privacy Policy, the Good Conversations gGmbH will provide an example of a Privacy Policy. This can help the Partner to find out how the Software works and what data is collected for what purposes. However, the Good Conversations gGmbH does not guarantee the legal validity of this Privacy Policy. It is merely an example for further orientation of the Partner. The Partner's obligations to include an effective and sufficient Privacy Policy remain unaffected. The Partner is responsible to ensure comprehensive data protection for the data collected.

The parties assume that the answers to the questions in the Software do not constitute sensitive data within the meaning of Art. 9 GDPR. Furthermore the parties assume, that the data processing carried out for journalistic purposes and will as such be privileged according to Art. 85 GDPR. Nevertheless, the Partner shall ask the participants for their explicit consent (by opt-in) in the processing of their data, in particular their answers to the yes/no questions within the framework of the project.

After completing the creation of an Event, the Partner and any Co-Organizers need to embed the sign-up widget of the Software into their Website to invite participants to the Event. Partners and Co-Organizers are not permitted to enter into agreements involving financial compensation for their participation in an Event. Neither Partners nor Co-Organisers are permitted to offer or request financial compensation for the integration of the sign-up widget into their site, promotion, exchange of data, labour, or any other activities pertaining to the Event.

Each Event consists of the following four phases. Each Partner has to complete all of the phases. Participants should be given adequate time to complete each phase of the event with full information which maximises the opportunity to participate.

In the first phase ("Registration Process") the Partner enables its users to register for the Event via the "My Country Talks" widget which must be embedded into pages on its site. During the Registration Process, partners are obliged to integrate the widget, at a minimum, into all new published content that is relevant to the event, or to any of the registration questions. As part of the Registration Process, the participants will answer the previously defined yes/no questions and provide personal information required for the organisation of the event. The Registration Process must be open for a minimum of two weeks, four weeks are recommended.
After completion of the Registration Process, the so-called "Matching" of the participants takes place. Using its own algorithm, the Software puts together discussion pairs who answered the yes/no-questions as differently as possible and informs the participants about their match via email. Each participant is asked to confirm their match before the next step is initiated. Participants must have at least 48 hours to confirm their match.
If both participants in a match agree to the meeting, they can then discuss their opinions in a personal conversation on the day of the Event.
This will be followed by the "Feedback Phase", in which the participants will be asked for their feedback on the Event.

b) Promotional material and branding

The Partner is obliged to promote the event appropriately and to indicate in all advertising and communication activities that the event is a My Country Talks event.

This can be done, for example, as follows:

"(Event name) is a My Country Talks event" or
"(Event name) is powered by My Country Talks"

Furthermore, a link to the website www.mycountrytalks.org and the My Country Talks logo must be placed in all event communication, and on any landing page for the Event.

The partner is granted a simple, non-exclusive right to use the My Country Talks logo to fulfil the contract for the duration of the contract period.

A copy of any promotional material shall be sent to Good Conversations gGmbH.

Good Conversations is granted the worldwide right to use the partner's company name and logo for the promotion of the Event and My Country Talks Series by listing the partner on its website and in its promotional materials and for reporting purposes, without limitation of time or territory.

5. Functionality of the Software and data collected

Through the sign-up widget of the Software, participants can answer the included yes/no-questions about their views on current issues and are also asked to provide personal information such as name, gender, age, postcode, e-mail address and mobile number.

These data are collected for the following purposes: The answers to the yes/no questions serve to form pairs of discussion with the most contrasting views possible. Based on age, the Software checks that participants are at least 18 years old. The postcode is used during the Matching Process to ensure that the possible conversation partners live close by, in case the Partner chooses to match participants within a certain geographic radius. The e-mail address is used in the preparation of and during the Event to communicate with the participants and to enable the matched participants to start their conversation. The mobile phone number is recorded in order to send a registration code by SMS to participants during registration.

In the Software's questionnaire, participants are also asked to briefly introduce themselves using questions such as "What do you do for a living?" or "How do you spend your free time? The answers to the various questions are later sent to the potential conversation partners by e-mail.

The Software analyses the collected data and forms pairs of participants, so-called and hereinafter referred to as "Matches". The Software then sends an e-mail to the possible conversation partners assigned as Matches, informing them of their Match and the time of a possible conversation. Whether a conversation takes place and how it takes place is the sole responsibility of the participants. The participants will be informed about this fact in the e-mail which informs them about the Match.

After the end of the Event, the Feedback Phase of three months will take place. At the beginning of the Feedback Phase, all participants will be sent a feedback form via e-mail by the Software. The participants are asked to take a screenshot of themselves and their conversation partners and to send it in with the feedback form. With sending in a screenshot the participants agree that their screenshot will be published on the websites and social media channels of the Partner.

6. Obligations of the Good Conversations gGmbH

The Good Conversations gGmbH will support the Partner with the initiation of the Event.

The Good Conversations gGmbH will provide the Partner with a link and password to the Software so that he can access the data of his participants.

The Good Conversations gGmbH grants the Partner the non-exclusive, non-transferrable right to make the Software publicly accessible on his website via embedding for the duration of this contract to invite participants in the Event.

The Good Conversations gGmbH will process the data only on behalf of and in accordance with instructions of the Partner according to the Data Processing Agreement concluded with the Partner.

7. Data Use

The Partner is the owner and the Controller of the collected data. With the completion of the registration the parties conclude a Data Processing Agreement (“DPA”). Within this DPA the Partner is referred to as the Controller and/or Principal of the data.

The collected data of the participants will be stored by the Good Conversations gGmbH in a database in Germany connected to the Software. The Partner can access the data via the Software's web interface. Through the web interface of the Software, any Partner can view the data of the participants who have registered for the Event via his website. The Partner does not see the data of the participants who have registered via the website of any Co-Organizers and vice-versa.

After the data has been evaluated by the Software and Matches have been formed, the Partner sees first and last names, postcode, the answers to the yes/no questions and the answers to the introduction questions of the Matches assigned to his participants. The Partner does not see the contact data of the participants of any Co-Organizers and vice-versa.

The Good Conversations gGmbH has access to the data of the participants of the Partner and his Co-Organizers solely for the purpose of technical support and to fulfil the obligations set forth in the DPA.

The Partner assigns the Good Conversations gGmbH to delete all participant contact information as well as answers to the registration questions nine months after the last matching round. Participant name, age, gender, location and feedback including pictures will be stored until the purpose for which they are intended to be used no longer applies or, if consent by participants has been given, for the purpose of announcing and advertising future My Country Talks-Events for a maximum of three years. Thereafter the data are held until the expiry of the statute of limitations, in order to be able to ensure and prove in case of doubt that the data processing was justified in the context of the project. Access to the data is then no longer possible for the Partner. The Partner of the Event has the option to export anonymized user data for the purpose of data visualisations and editorial reporting on the Event.

8. Marketing and Communications

The Good Conversations gGmbH is assigned the task of statistically evaluating the collected participant data for the purpose of using it for marketing purposes for My Country Talks. This collected data may include total number of participants and Matches in an Event, distribution of the answers to the yes/no questions, as well as the average participant age, the gender distribution in an Event and the participant location.

The Partner receives the non-exclusive right to use the name and logo of My Country Talks to promote the Event and in the context of reporting on the Event as long as the contractual relationship between the parties exists.

9. Termination of contract

The contract continues to exist independently of the organisation of an specific Event as long as it is not terminated. The Partner therefore has the opportunity to organise a subsequent event under the same contract.

If no active event of the Partner takes place, the parties can terminate the contract at any time.

During the duration of an event, the parties can terminate the contract at any time to the end of the event. The rights and obligations of the parties that extend beyond the term of the event (data protection, data access and storage, etc.) shall continue to exist until the data is deleted.

Each party has the right to extraordinary termination for good cause. This applies regardless of the duration of an Event. Good cause is also deemed to be a justified suspicion of a violation of the Code of Ethics.

Any transferred rights of use regarding the software automatically revert to the Good Conversations gGmbH after the termination of the contract without an explicit recall of rights.

10. Final provisions

The invalidity of any provision of this contract shall not affect the validity of the remainder of the contract. The invalid provision shall be replaced by a correspondingly valid provision which comes as close as possible to the intended economic provision.

The Good Conversations gGmbH reserves the right to make changes to the general terms and conditions.

Amendments and supplements to this contract must be made in text form in order to be effective. This shall also apply to a waiver of the form requirement.

This contract is subject to German law, place of jurisdiction is Hamburg.

Data Processing Agreement - Article 28 GDPR

Agreement

between

the Partner of the main agreement

– Controller, hereinafter referred to as “the Principal” –

and

Good Conversations gGmbH

Buceriusstraße, Eingang Speersort 1, 22095 Hamburg

– Processor, hereinafter referred to as “the Agent” –

Principal and Agent individually designated as “Party” and collectively as “Parties”.

1. Subject-matter

In the framework of the delivery and performance relationship between the parties (hereinafter referred to as the “Main Agreement”) it is necessary that the Agent handles personal data as a processor in the sense of Article 4 no. 8 GDPR, for which the Principal is responsible as controller in the sense of Article 4 no. 7 GDPR (hereinafter referred to as “Principal-Data”). This Agreement concretizes the data privacy rights and duties of the parties in the context of handling the Principal-Data for the performance of the Main Agreement by the Agent.

2. Nature and purpose of the processing, nature of the personal data, categories of data subjects, duration of the processing

The Agent shall process the Principal-Data for the duration of the contract on behalf of and in compliance with the instructions of the Principal. The Principal remains the controller according to Article 5 (2) GDPR ("Master of the Data "). Nature and purpose of the processing as well as the nature of the personal data and the categories of data subjects are specified in Annex 1. The Agent shall not process any personal data deviating from or going beyond this, in particular if its for the Agents’ own purposes.

3. Principal’s rights to give instructions

3.1 Instructions from the Principal shall be given in writing or text form (e-mail being sufficient). Deviating from this, (telephone) verbal instructions may be given, if they are subsequently confirmed in writing or text form.

3.2 The Agent shall carry out the instructions of the Principal without undue delay or, where applicable, in compliance with a reasonable deadline set by the Principal. The agent shall, in particular, rectify, delete and block personal data as instructed by the Principal without undue delay and confirm this in writing upon request.

3.3 If the Agent considers that an admissible individual instruction violates applicable provisions of the General Data Protection Regulation or other data privacy provisions of EU law or the law of the Member States, he shall point this out to the Principal without undue delay. The Agent is entitled to suspend the execution of the instruction until the instruction is confirmed by the Principal.

3.4 Insofar as the Agent is required to process the personal data without any instruction from the Principal by Union or Member State law to which the Agent is subject, the Agent shall inform the Principal of that legal requirement in due time before processing, unless that law prohibits such information on important grounds of public interest.

4. Duties of the Principal

4.1 The Principal shall be externally, i. e. vis-à-vis third parties and data subjects, responsible for the lawfulness of the processing of the Principal-Data and for safeguarding the rights of data subjects.

4.2 The Principal shall keep all business secrets of the Agent (in particular those with regard to technical and organisational measures) acquired in the context of the contractual relationship confidential. This obligation shall remain in force even after termination of this contract.

4.3 Insofar as the Agent defends himself with legal means against a claim for damages according to Article 82 GDPR, against an imminent or already imposed administrative fine according to Article 83 GDPR or other sanctions in the sense of Article 84 GDPR, the Principal shall allow the Agent to disclose details of the processing for the purpose of legal defence, including instructions issued from the Principal.

4.4 The Principal shall support the Agent in the case of controls by a supervisory Authority, regulatory offence procedures, criminal procedures, claims to compensation or liability of the data subject or a third person in a reasonable and necessary manner, as far as these controls concern the data processing by the Agent.

5. Duties of the Agent

5.1 If a data subject addresses the Agent directly in the exercise of his rights under Chapter 3 GDPR (Art. 12-23 GDPR), taking into account Part 2, Chapter 2 BDSG (Sections 32-37 BDSG), the Agent shall immediately forward this request to the Principal and support the Principal in a reasonable manner with appropriate technical and organisational measures to comply with his obligation to respond to such requests for the exercise of the rights of the data subject specified in Chapter 3 DSGVO.

5.2 The Agent shall support the Principal in complying with the duties arising out of Art. 32-36 GDPR taking into account the nature of the processor and the information available to the Agent.

5.3 If the Agent becomes aware of a personal data breach within the meaning of Art. 4 No. 12 GDPR it shall immediately notify the Principal thereof. Within this notification pursuant to Art. 33 para. 2 DSGVO, the Agent shall inform the Principal as comprehensive as possible about the

nature and extent of the incident and the time it occurred, the IT system and data subjects affected, the time of discovery, all conceivable adverse consequences of the personal data breach and the measures taken as a result.

5.4 The Agent informs the Principal without undue delay if the rights of the Principal concerning the personal data held by the Agent are significantly affected by measures taken by third parties or other events.

5.5 The Agent shall return all Principal-Data at the request of the Principal. Data carriers received from the Principal shall be marked separately and administered on an ongoing basis. Copies and duplicates of the personal data may only be made with the prior consent of the Principal, unless they are used for the proper execution of this agreement or the respective project assignment or to comply with legal storage obligations.

5.6 If the Agent is legally required, it shall assign a data protection officer (Art. 37-39 GDPR). His or her contact details and where applicable information about his or her replacement shall be given to the Principal for the purpose of direct contact at least in text form (e-mail being sufficient).

6. Security in the processing

6.1 The Agent shall take all measures necessary pursuant to Art. 32 GDPR to grant a level of data security commensurate with the risk of processing. In particular, these measures include the ability to restore the confidentiality, the integrity, the availability and the resilience of the systems permanently and to restore the availability of and access to personal data quickly after a physical or technical incident. The Agent shall regularly review, assess and evaluate the effectiveness of the technical and organisational measures taken to grant the security of the processing and documents the results.

6.2 The Agent shall implement the technical and organisational measures listed in Appendix 2 prior to commencing the processing of Principal-Data, to maintain them for the duration of the processing and to adapt them commensurate with the state of the art and the risk of the processing.

6.3 The Agent shall ensure that all persons authorized to process personal data are obliged to confidentiality or are subject to an adequate statutory confidentiality obligation.

7. Supervision authority of the Principal

7.1 The Agent shall grant the Principal the right to evaluate the data processing and the compliance with this contract or the respective project assignment. In particular, the Agent shall provide the Principal with all information required to prove compliance with the obligations laid down in this Agreement and shall enable the execution of evaluations, including inspections. These actions may also be carried out by a third party obliged to confidentiality, provided that the third party is not a competitor of the Agent.

7.2 The parties agree that the Principal shall conduct an evaluation in accordance with Clause 7.1 by instructing the Agent, at the Agents’ option, to submit an appropriate audit report, a report or extracts of reports from independent bodies (e.g. accountants, auditors, data protection officers, data protection officers, data protection auditors or quality auditors) or an appropriate certification by an IT security or data protection audit - e.g. in accordance with ISO/IEC 27001 or “BSI-Grundschutz” (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) - ("Audit Report"). Notwithstanding, the Principal may conduct an independent evaluation when reasonably justified.

7.3 The Agent shall support the Principal in its evaluation. This includes granting the Principal all access, information and inspections rights. The same applies to evaluations conducted by the competent supervisory authority in accordance with the applicable data protection regulations.

7.4 The Principal shall inform the Agent about all circumstances relating to the conduct of the evaluation in due time (generally at least four weeks prior to the evaluation). Generally, the Principal may conduct an evaluation once per calendar year. Notwithstanding the foregoing, the Principal shall have the right to conduct further evaluations in the event of special occurrences.

8. Subprocessors

8.1 The Agent may subcontract with further processors (subprocessors). For the time being, the Agent commissions the subcontractors listed in Appendix 3. The Principal agrees to their commissioning. The Agent shall always inform the Principal of any intended change in relation to the use or replacement of subcontractors, which shall give the Principal the opportunity to object to such changes within two weeks, although this may not be done without good cause in terms of data protection law. Unless the Principal raises justified objections within two weeks of notification of the change, the change shall be deemed to have been approved by the Principal. The Agent shall inform the Principal of this significance of his conduct at the beginning of the period. In the event of an objection, the Agent may, at his own discretion, either provide the service without the intended change or - if the provision of the service without the intended change is not reasonable for the Agent - discontinue the service to the Principal within two weeks of receipt of the objection and terminate the main contract without notice and with immediate effect.

8.2 Should the commissioning of a subprocessor lead to a transfer of Principal-Data to a country outside of the European Union (EU) or the European Economic Area (EEA) (‘third country’), clause 9 of this agreement applies.

8.3 The Agent shall ensure that the data protection obligations stipulated in this Agreement also apply vis-à-vis the subcontractor. The Agent shall oblige the subprocessor respectively pursuant to Art. 28 (4) GDPR by way of a contract or another legal instrument in accordance with EU law or the law of the respective member state prior to the commencement of the processing, whereby, in particular, sufficient guarantees must be provided that the appropriate technical and organisational measures are conducted in such a way that the processing complies with the regulations of the GDPR.

9. Transfer of Principal-Data to third countries

9.1 Generally, the data processing contractually agreed upon shall be conducted in a member state of the European union (EU) in a signatory state of the Agreement on the European Economic Area (EEA). Any transfer of Principal-Data to a country outside the EU/EEA ("third country") shall only take place if the special requirements of Art. 44 et seq. GDPR are met.

9.2 The Principal hereby authorises the Agent to enter into the standard contractual clauses for the transfer of personal data to processors established in third countries in accordance with Commission Decision (EU) 2021/914 of 4,6,2021(“SCC”) module three, transfer processor to processor, with a subprocessor to whom the Agent intends to transfer data for processing in a third country. The parties agree that a data transfer may be based on the SCCs issued by the European Commission. Deviations from this are only permitted with prior approval.

10. Return and deletion

10.1 The Agent shall return all Principal-Data after having finished the processing agreed on and, in particular after the end of the contractual performance (in particular in the event of termination or other end of the Main Agreement) and subsequently delete this data in accordance with the applicable regulations (including existing copies). Data carriers obtained by the Principal shall be returned or destroyed in compliance with an appropriate level of protection. The same applies to test and rejection material. This shall not apply provided Union or Member State law requires storage of the personal data.

10.2 Documentations which serve the purpose of proving the orderly and due data processing or legal requirements of record-keeping shall be kept by the Agent according to the respective record-keeping periods beyond the duration of the contract.

11. Exemption

Insofar as claims for damages pursuant to Article 82 GDPR are made against the Agent for an infringement of the GDPR while processing of Principal-Data without the Agent having contravened a Principal’s instruction, the Principal shall indemnify the Agent upon first request from all claims. The Principal shall also cover the costs of the Agent´s necessary legal defence including all court and legal fees. The obligation to indemnify shall not apply if the claim for damages is based on the violation of a duty under the GDPR specifically imposed on the processors such as the Agent.

12. Remuneration

The Agent may be compensated by the Principal for support services according to Clause 5.1 and Clause 5.2 of this agreements as well as for participation in independent inspections of the customer according to Clause 7.2 demand an appropriate remuneration. This shall not apply if the support is necessary because the Agent violates an instruction of the Principal or has violated an obligation from the GDPR specifically imposed on the processors.

13. Duration and termination

The term and termination of this Agreement shall be governed by the provisions concerning the term and termination of the Main Agreement. A termination of the Main Agreement automatically results in the termination of this Agreement. An isolated termination of this Agreement is excluded.

14. Priority clause

Unless special provisions are contained in this Agreement, the provisions of the Main Agreement shall apply. In the case of any conflicts between provisions of this Agreement and provisions of other agreements, in particular with the Main Agreement, the provisions of this Agreement shall prevail.

Appendix:

Appendix 1: Nature and purpose of the processing, Type of personal data, Categories of data subjects

Appendix 2: Technical and organisational matters

Appendix 3: Subcontractors

Appendix 1: Nature and purpose of the processing, Type of personal data, Categories of data subjects

Nature and purpose of the processing:

Hosting, service and support of the software platform My Country Talks

Type of personal data:

The following user data will be collected and used: answers to political questions given by participants during the application process, and personal data including name, gender, age, zip code, email address, mobile phone number and any personal data contained in the feedback. Furthermore, anonymized data will be stored and used for statistical evaluations and visualisations.

Categories of data subjects:

Customer data

Appendix 2: Technical and organisational measures

1. Confidentiality (Article 32 (1) Point b GDPR) and Encryption (Article 32 (1) Point a GDPR)

Physical Access Control

No unauthorised access to Data Processing Facilities:

Good Conversations gGmbH

Entrance doors are always kept locked
Chip cards for all doors
Visitors / external persons are accompanied or picked up and always supervised
Video surveillance with recording at the front entrance
Electronic door opener
Security and / or security personnel at the entrance
Alarm system
Laptops locked away or lock to desks after work
Fire doors, fire extinguishers, surge protection

diesdas.digital (development agency)

Video surveillance outside working hours
Security doors
Office locked at any time, when no one is present
Alarm system
Window bars
Laptops locked away after work in a cabinet
Fire doors, fire extinguishers, surge protection

Makandra (Hosting)

Access to the “aiti-park” (office building) is only possible with an anti-Park-ID. It is documented which card can open which door. All makandra employees have the same permissions
The plant security officers regularly control all premises
Access to the premises of the IT (server) is only possible for a limited group of people. Access to the server rooms is even more limited

Electronic Access Control/Encryption

No unauthorised use of the Data Processing and Data Storage Systems:

Good Conversations gGmbH and diesdas.digital

Standardized, documented process for managing user access cancellation / deactivation upon termination of the employment relationship
Regular review of all existing accounts and access
Granular allocation of access per service
No external admins, service or maintenance
Administration access for each service is kept to a minimum
Admin access only for people who have excelled in the past as professionally and personally suitable
No use of production data in local test systems
Training for the handling of personal data and protection of the devices
Routine encryption of all hard disks
No sharing of computers: each employee has his own device and knows the access alone Whenever possible data transmission through encrypted connections

Passwords

Using the password manager 1Password mandatory for all employees;
Share visibility across multiple pools within the tool so that employees only can get passwords they need
1Password allows the generation of secure passwords with minimum length and use of special characters;
Employees are required to use long passwords without repetitions and special characters
Instruction / training on 1Password at the beginning of the employment relationship
Passwords must not be passed on; instructions for secrecy
At any time comprehensible which persons have access to which passwords
Former employees lose access to all passwords from the last working day

Makandra (Hosting)

An automatic lock occurs on computers within the domain All computers within the domain are encrypted.
All employees are required to use randomly generated passwords and store them in an encrypted form

Internal Access Control

No unauthorised Reading, Copying, Changes or Deletions of Data within the system:

Good Conversations gGmbH and diesdas.digital

Use of role and access rights management in all software products that make this possible
Restricting each person's access to data that is not necessary for their daily work
Use of granular role systems to restrict access to relevant and work-related data
Own passwords / access for each person; no account sharing
Regular control of assigned access rights by several persons
Access permissions are stored in the applications until the end of the employment relationship and can be viewed by the administrators at any time
If possible, purchase of software packages for access logging
SSH and SFTP if possible during data transmission
Encryption of the HTTP connection via TLS whenever possible
Encryption of all computers via FileVault
Deletion of files that are no longer needed, e.g . exports
Access from sensitive data only for as few people as possible
Passing on data through password-protected files if possible and communicating the access password only to recipients on a second channel
Initial meeting on data security, in which roles and access rights are defined Analog data is destroyed with shredder of security level 4 with particle cut

Makandra (Hosting)

A role concept is used. In some cases roles are defined for individuals
Program-based authorizations are currently assigned individually

Isolation Control

The isolated Processing of Data, which is collected for differing purposes:

Good Conversations gGmbHand diesdas.digital

Separation of access rules via database principle
Software-side client separation
Separation of productive and test systems (in separate databases)

Makandra (Hosting)

All data is entered and processed separately only for the respective individual customers in the system. The data is stored separately for each customer according to the customer’s contract and instructions

2. Integrity (Article 32 (1) Point b GDPR)

Data Transfer Control

No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport:

All systems accessible externally via the internet are only accessible via encrypted protocols
The company's security devices and encryption techniques apply to corporate devices issued to employees. In addition, a separate IT user policy applies

Data Entry Control

Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted:

Changes to data are logged system-internally.
In some cases, document-related logging of the logged-in user is implemented in other systems.
The file system records on an application level, who created or last edited a file These protocols are evaluated only in acute individual cases

3. Availability and Resilience (Article 32 (1) Point b GDPR), Rapid Recovery (Article 32 (1) Point c GDPR)

Availability Control

Prevention of accidental or wilful destruction or loss

4. Procedures for regular testing, assessment and evaluation (Article 32 (1) Point d GDPR; Article 25 (1) GDPR)

Order or Contract Control

No third party data processing as per Article 28 GDPR without corresponding instructions from the Client:

Agents are carefully selected
Clear and unambiguous contractual arrangements
Formalised Instructions Management
Instructions are issued in writing
Strict controls of the Agent by the management or the data protection officer duty of pre-evaluation

Makandra (Hosting)

Regular internal audits and other measures
Processing of personal data of the customer on the customer’s behalf only on the basis of a contract for the processing of orders according to Art. 28 General Data Protection Regulation

Appendix 3: Subcontractors

Name	Address/country	Subject-matter/service:
MailJet GmbH	Friedrichstraße 68 10117 Berlin Germany	SAAS-Service for Mail delivery
Makandra GmbH	Werner-von-Siemens-Str. 6, 86159 Augusburg Germany	Hosting and Security
Twilio Ireland Ltd	25-28 North Wall Quay Dublin 1 Ireland	Voice and messaging functions via Cloud-APIs
HERE Global B.V.	Kennedyplein 222- 226, 5611 ZT Eindhoven The Netherlands	Map Services via API
diesdas.digital	diesdas.digital GmbH Oranienstraße 6 10997 Berlin Germany	Software Development