Data Transfer Agreement

Agreement on the fulfillment of obligations under Art. 26 GDPR in the event of joint responsibility 

between 

Carl von Ossietzky University of Oldenburg 

represented by the President Prof. Dr. Ralph Bruder 

Ammerländer Heerstr. 114-118 

26129 Oldenburg 

Responsible body: Faculty VI, Department of Human Medicine 

Responsible university lecturer: Prof. Dr. Dirk Weyhe 

– hereinafter also referred to as “UOL” or “Responsible Party A” – 

and 

University of Lübeck 

represented by the President Professor Dr. Gabriele Gillesen-Kaesbach  

Ratzeburger Allee 160 

23562 Lübeck  

Executing agency: NWG MoveGroup, Institute for Medical Informatics 

– hereinafter also referred to as “MOVE” or “Responsible Party B” – 

and 

ASCORA GmbH 

Birkenallee 43 

27777 Ganderkesee 

– hereinafter also referred to as “ASCORA” or “Responsible Party C” – 

and 

ProLog, Therapie- und Lernmittel GmbH 

Olpener Str. 59 

51103 Cologne  

– hereinafter also referred to as “PROLOG” or “Responsible Party D” – 

all together also referred to as “Parties” or “Contracting Parties” – 

Contents 

Preamble 

§ 1 Subject matter of the regulation 

§ 2 Definition of responsibilities / distribution of obligations under the GDPR 

§ 3 Provision of the essence of the agreement / contact point 

§ 4 Mutual support, information and coordination obligations 

§ 5 Provisions on joint and several liability in the internal relationship 

§ 6 Entry into force and termination of the agreement 

§ 7 Final provisions 

§ 8 Annexes 

Preamble: 

The parties have concluded a cooperation agreement (version 23.11.2023) (hereinafter referred to as the “Main Agreement”).  

This Main Agreement governs the cooperation between the parties, including in connection with the joint implementation of the joint project “LAOLA – Interactive therapy support using AI-based mouth, posture and speech recognition using the example of voice disorder therapy” funded by the Federal Ministry of Education and Research (BMBF).  

The parties are “joint controllers” within the meaning of Art. 4 para. 7, Art. 26 GDPR for various processing operations of personal data carried out in this context. 

With this agreement (hereinafter: “Agreement”), the parties comply with the obligation and the associated regulations in the internal relationship between them under Art. 26 para. 1 sentence 2 GDPR. 

However, provisions relating to the admissibility of data processing as such under data protection law are not part of this Agreement and are reserved for the main contract or other agreements on data protection between the parties.  

Having said this, the parties agreed the following:  

§ 1 Subject matter of the agreement 

(1) With this agreement, the parties mutually regulate their rights and obligations for the processing operations for which they are jointly responsible pursuant to Art. 26 GDPR. For this purpose, they also determine in the form of the agreement pursuant to Art. 26 para. 1 sentence 2 GDPR which of them fulfills which obligation pursuant to the GDPR, in particular with regard to the exercise of the rights of the data subjects, and who complies with which information obligations pursuant to Art. 13 and 14. 

(2) This agreement with its annexes does not itself establish joint responsibility within the meaning of Art. 26 GDPR between the parties, but presupposes this as a given on the basis of other agreements or constellations between the parties. In this respect, this agreement with its annexes is purely declaratory in order to fulfill the obligations arising from Art. 26 GDPR in the event of an existing joint responsibility. 

(3) The permissibility under substantive data protection law of the processing activities covered by this agreement, in particular the transfer of personal data between the parties (such as the existence of permission pursuant to Art. 6 GDPR, etc.), is not assessed on the basis of the agreement, but is assumed. In this respect, each party guarantees compliance with the statutory provisions, in particular the lawfulness of the data processing carried out by it within the scope of joint responsibility. 

The parties may reach other agreements and regulations on the permissibility of data protection, which shall stand alongside the agreement. The agreement shall only take precedence insofar as it concerns the fulfillment of the obligations arising from Art. 26 GDPR. 

(4) The agreement exclusively regulates the relationship between the parties as joint controllers within the meaning of the GDPR. This agreement does not establish any obligations of the parties towards third parties (in particular towards the data subjects) that go beyond the GDPR. The agreement is not intended by the parties to be a genuine or non-genuine contract for the benefit of third parties or a contract with protective effect for third parties and cannot be interpreted as such. 

(5) This agreement does not establish any corporate relationship between the parties with regard to the data processing for which the parties are joint controllers, in particular not in the form of a partnership under civil law. 

§ 2 Definition of responsibilities/allocation of obligations under the GDPR 

(1) The  

  • processing activities covered by this Agreement for which the Parties are joint controllers, and 
  • the respective determination of which of the parties fulfills which obligation under the GDPR 

are set out in Annex 1 to this Agreement.  

For data processing activities not listed in Annex 1, each contracting party is an independent controller within the meaning of Art. 4 No. 7 GDPR. 

If there are any changes to the data processing described in Annex 1, the parties shall amend Annex 1 without delay and use the amended Annex as the new Annex to the Agreement, replacing the old Annex. 

For reasons of proof, the old Annexes shall be marked with a corresponding clear amendment note (“Amended on …”) and kept together with this Agreement.  

(2) Notwithstanding the provisions of this agreement, a data subject may assert any rights to which they may be entitled under the GDPR with and against each of the joint controllers in accordance with Art. 26 para. 3 GDPR. Reference is made to the following provisions of this agreement on the internal relationship between the parties and the provisions there on the processing of such a request. 

§ 3 Provision of the essentials of the agreement / contact point 

(1) Annex 1 is an integral part of the Agreement. The parties agree that Annex 1 also contains the “essence” of the agreement within the meaning of Art. 26 para. 2 sentence 2 GDPR. 

(2) Annex 1 specifies the party that must fulfill the obligation under Art. 26 para. 2 sentence 2 GDPR to make the essence of this agreement available to the data subjects. In this respect, the party specified in Annex 1 shall make Annex 1 available to the data subjects in the current and valid version. 

This shall be done as set out in Annex 1.  

(3) If a data subject requests that the essentials of the agreement be made available (again) in accordance with Art. 26 para. 2 sentence 2 GDPR, the requested contracting party may initially only make Annex 1 available. 

The provision of further or other information regarding joint responsibility within the meaning of Art. 26 GDPR must be agreed in advance with the other parties. 

(4) The contact point for the data subjects within the meaning of Art. 26 para. 1 sentence 3 GDPR shall be the party specified in Annex 1. 

If a data subject contacts the party that is the point of contact, the further procedure shall be governed by the provisions of the agreement, in particular clauses 4 to 6. 

§4 Mutual support, information and coordination obligations 

(1) Principle 

Insofar as one of the parties has assumed an obligation in whole or in part in accordance with Annex 1, the other party shall provide appropriate support free of charge in fulfilling the obligation (e.g. when carrying out a data protection impact assessment, fulfilling a right to information, providing information for the description of processing activities in accordance with Art. 30 GDPR, etc.).  

Further details can be found in the following regulations. 

(2) Requests by third parties or government agencies 

1. should  

  • a third party with regard to the assertion of its data subject rights or  
  • a public and/or state body, such as a data protection supervisory authority or an investigating authority (police, public prosecutor’s office, etc.) (hereinafter: “Authority”),  

to one of the parties regarding such processing activities that relate exclusively or partially to the processing activities covered by the agreement, or 

o data protection claims are threatened or asserted against a party in connection with the processing activities covered by this agreement, in particular claims for damages within the meaning of Art. 82 GDPR, fines within the meaning of Art. 83 GDPR and/or other sanctions within the meaning of Art. 84 GDPR, 

(for all three variants in each case hereinafter: “request”) 

this party shall immediately inform the other parties of this request in text form and, in particular, forward a copy of the request. The information shall be sent to the data protection officers designated by the parties and named in Annex 1. 

2. processing and further communication shall be carried out by the party to which responsibility is assigned in Annex 1 (“processing party”). The Processing Party is always the party on whose side the alleged infringement has been committed (see Annex 1, II). 

The other parties shall support the processing party upon request to the necessary and reasonable extent. In particular, they are obliged to provide the processing party with the information necessary to process the request from their own areas relating to their part of the data processing. 

If there is no assignment of responsibility in Annex 1, the party that is the addressee shall begin processing and inform the other parties immediately. 3. 

3. the processing party shall keep the other parties informed of the status of the processing and communication on its own initiative and shall refer to the joint responsibility with the other contracting parties in external communication. 

The following special provisions shall also apply: 

  1. Substantive statements and legally binding declarations 
    However, without prior consultation with the other party, the party concerned shall not make any substantive statements or legally binding declarations to third parties or authorities, in particular no acknowledgement or comparable declaration, in the cases set out in clause 4.2.1. 
  1. Request for deletion 
    If a request concerns the erasure of data (e.g. in the event of the assertion of the data subject’s right under Art. 17 GDPR), the processing party must inform the other parties separately. The other parties may object to the deletion within 2 weeks for legitimate reasons, for example if they are subject to a statutory retention obligation. Deletion must then be omitted until the procedure has been jointly clarified. 

(3) Breach of the protection of personal data 

1. If a breach of the protection of personal data within the meaning of Art. 4 No. 12 GDPR on the part of one party has an impact on the data covered by this agreement or if there is a reasonable suspicion thereof, this party must inform the other parties in text form immediately after becoming aware of it, at the latest within 24 hours.  

To this end, it must – insofar as already possible – in particular provide information on the points mentioned in Art. 33 para. 3 GDPR. 

2. the parties must then agree on whether a reportable incident (Art. 33, 34 GDPR) has occurred.  

In case of doubt, the party where the breach occurred/where there is reasonable suspicion shall decide.  

3. the processing party is responsible for processing and further communication. The other parties (“supporting parties”) shall support the processing party to a reasonable extent upon request.  

4. the processing party shall keep the supporting parties informed of the status of the processing on its own initiative and shall refer to the joint responsibility with the other contracting parties in external communication 

(4) Irregularities in the respective data processing 

Insofar as a party discovers errors or irregularities with regard to data protection provisions during the examination of such processing activities (including order results) that are subject to the agreement, it must inform the other parties immediately, at the latest within 24 hours and in full in text form.  

(5) Order processing 

The contracting parties are permitted to involve processors. The other contracting parties must be informed in writing before the intended involvement of a processor. The respective contracting party shall conclude the necessary agreements with the processor in accordance with Art. 28 para. 4 GDPR. The controller who engages a processor shall be liable for compliance with the processor’s data protection obligations. 

(6) Measures for data security  

The contracting parties guarantee that they have taken all security measures in accordance with Art. 32 GDPR and that they will always keep them up to date. The other contracting parties must be informed of any changes to the level of protection. 

§ 5 Provisions on joint and several liability in the internal relationship  

According to Art. 26 para. 3 GDPR and Art. 82 para. 4 GDPR, in the event of claims for damages by a data subject, each of the jointly responsible parties is liable for the entire damage in order to ensure effective compensation for the data subject. If, in accordance with the above provisions, one of the parties has paid compensation to the data subject for the damage suffered, that party shall be entitled to recover from the other party the part of the compensation corresponding to its respective share of responsibility for the damage in accordance with Art. 82 para. 5 GDPR.   

In addition, the provisions of the BGB on joint and several liability apply. 

§ 6 Entry into force and termination of contract 

(1) This agreement shall enter into force upon signature by the parties. 

This agreement ends automatically when the main contract ends without the need for termination. 

(2) This agreement may only be terminated by the parties for good cause.  Good cause shall be deemed to exist in particular in the event of a serious or continuing breach of data protection regulations or the provisions of this agreement.  

Terminations must be made in writing to be effective. 

(3) The provisions of §§ 4, 5 and 7 of this agreement shall remain in effect even after termination or other termination of this agreement. 

(4) Documentation within the meaning of Art. 5 (2) GDPR, which concerns data processing subject to this agreement and serves to prove its legality and compliance with the GDPR or other data protection regulations, shall be kept by each party for at least twenty (20) years after the end of the contract.  

The respective other parties shall have access to it insofar as the documentation relates to data processing for which these respective other parties are also a joint controller in accordance with Annex 1. 

§ 7 Final provisions 

(1) If a party acts on the basis of the agreement vis-à-vis third parties (e.g. in the processing of requests from data subjects) and/or vis-à-vis the other parties, this shall be done free of charge in each case, unless expressly stipulated otherwise in the main agreement.  

(2) All amendments and additions to this agreement and the annexes must be made in writing. This shall also apply to an agreement that changes or cancels the written form requirement agreed here. Written form within the meaning of this agreement means the statutory written form within the meaning of § 126 BGB or the electronic form within the meaning of § 126a BGB. Text form within the meaning of this agreement means the text form in accordance with § 126b BGB. 

(3) Unless otherwise stipulated in this agreement, the provisions of the main contract in the relationship between the parties shall also apply to this agreement and otherwise remain unchanged. 

(4) Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions of this agreement. The same shall apply if this agreement contains a loophole. In any such case, the parties shall be obliged to agree on a valid provision in place of the missing, invalid or unenforceable provision which comes as close as possible to the economic purpose pursued by this agreement. 

(3) This agreement and its implementation shall be governed by the provisions of the GDPR, supplemented exclusively by German law to the exclusion of the UN Convention on Contracts for the International Sale of Goods.  

§ 8 Annexes 

Annex 1 Description of the essentials of the agreement and responsibilities 

Annex 1 

Agreement on joint responsibility – the “essence” of the agreement 

I. Joint contact point pursuant to Art. 26 para. 1 sentence 3 GDPR 

Carl von Ossietzky University of Oldenburg 

represented by the President Prof. Dr. Ralph Bruder 

Ammerländer Heerstr. 114-118 

26129 Oldenburg 

Responsible body: Faculty VI, Department of Human Medicine 

Responsible university lecturer: Prof. Dr. Dirk Weyhe 

Contact person: Dr. Verena Uslar 

E-Mail: [email protected]: 0441 229-1490 

II. Which partner is jointly responsible for which processing operations within the meaning of Art. 26 para. 1 GDPR? 

 Processing Data collection  Processing  RGB-D Videos Processing Audiorecordings voice Processing Clinical parameters and decision support  Processing names, addresses, e-mail addresses 
Description of the processing Data collection of the audio, image and RGB-D video recordings as well as the medical questionnaires and other data on the smartphone using the LAOLA app on a smart device. Data on the smartphone using the LAOLA app on the smart device and data transfer by UOL, MOVE and ASCORA to the LAOLA data servers operated by ASCORA. The collected RGB-D image and video data, image annotations and patient data are transferred from ASCORA’s data server to MOVE’s data server for processing via a state-of-the-art encrypted connection: On the basis of the data, MOVE extracts the physiological movement characteristics according to projects for analysis (e.g. keypoint detection and facemesh calculation) and on this basis determines the correctness of the keypoints to reference annotations, as well as extracts and validates clinically relevant parameters from them. For this purpose, UOL annotates the data in advance on the ASCORA data server or using standalone software and participates in the clinical interpretation of the results. MOVE coordinates the creation of the OpenAccess dataset. The audio voice data collected with the LAOLA app on smart devices and transmitted to the ASCORA data server (of the exercise performance) is transferred from the ASCORA data server to the PROLOG, MOVE and UOL data servers for processing via a state-of-the-art encrypted connection: Based on the data, all three jointly extract methods for analysis (e.g. breathiness, hoarseness, roughness, loudness, etc.) and compare them with reference annotations. Clinically relevant parameters are also extracted from these and validated. For this purpose, UOL annotates the data in advance and participates in the clinical interpretation of the results. Processing of the data sets on MOVE computers to develop and test decision support algorithms for training selection based on the questionnaire data, and the interpreted data resulting from the processing of RGB-D videos and the processing of the audio recordings voice. UOL and PROLOG are involved in the selection of indicators for the suitability of certain trainings and the associated indicators and score calculation. Collection and storage of e-mail addresses and names of LAOLA app users on the ASCORA data server. 
Purpose of the (data) processing Data transfer Data transfer and data analysis in the sense of the research task RGB-D video analysis for facial-body tension and correct exercise execution Creation of an OpenAccess data set Data transfer and data analysis in the sense of the research task of vocal sound analysis Creation of an OpenAccess data set Data transfer and data analysis in terms of the research task of decision support for training selection Creation of an OpenAccess data set Identification of patients by therapists Contacting for further recordings and studies 
Responsible parties: Who are the joint controllers for each of these processing operations? 
UOL   X  X  X  
MOVE   
ASCORA  X   X  X   
PROLOG  X    
Obligations: Which controller is responsible for which of the following obligations for which processing? 
Art. 13 Duty to provide information when collecting personal data. UOL, MOVE UOL, MOVE UOL, MOVE UOL, MOVE  UOL, MOVE 
Art. 14 Duty to provide information if data was not collected from the data subject. UOL, MOVE, ASCORA, PROLOG UOL, MOVE UOL, MOVE, PROLOG UOL, MOVE UOL, ASCORA, PROLOG  
Art. 15 Processing of requests for information. ASCORA ASCORA, UOL, MOVE UOL, MOVE, PROLOG, ASCORA  MOVE ASCORA, PROLOG 
Art. 16 Processing of rectification requests. ASCORA ASCORA, MOVE, UOL PROLOG, ASCORA MOVE ASCORA, PROLOG  
Art. 17 or 18 Processing of requests for erasure or restriction of processing and Art. 19 Notification of the obligation to erase. ASCORA MOVE, UOL,  PROLOG, UOL,  UOL, MOVE, ASCORA,  ASCORA, PROLOG 
Art. 20 Processing of requests for disclosure (data portability). ASCORA ASCORA, MOVE ASCORA, PROLOG MOVE ASCORA, PROLOG 
Art. 21 Processing of objections. ASCORA ASCORA PROLOG , ASCORA,  PROLOG ASCORA, PROLOG 
Art. 24 Abs. 1 i.V. m. Art. 32 Festlegung der techn.-org. Maßnahmen nach Risikoabschätzung und ggf. Datenschutzfolgeabschätzung (Art. 35) und Konsultation einer Aufsichtsbehörde/ Übermittlung der notwendigen Informationen (Art. 36 (3)). ASCORA ASCORA PROLOG PROLOG ASCORA, PROLOG 
Art. 24 para. 1 Documentation of the selection of technical and organizational measures (as proof). measures (as proof). ASCORA, PROLOG ASCORA, MOVE ASCORA, PROLOG ASCORA, MOVE ASCORA, PROLOG  
Art. 24 para. 1 Review and update of measures. ASCORA, PROLOG ASCORA, MOVE ASCORA, PROLOG ASCORA, MOVE ASCORA, PROLOG  
Art. 26 Provision of the essence of the joint controllers’ agreement. ASCORA ASCORA ASCORA ASCORA  ASCORA 
Art. 28 Involvement of processors or sub-processors and their review. ASCORA ASCORA, MOVE ASCORA, PROLOG ASCORA, PROLOG ASCORA, PROLOG 
Art. 30 Maintenance of the record of processing activities. ASCORA MOVE ASCORA MOVE ASCORA, PROLOG 
Art. 33, 34 Process for reportable data breaches. ASCORA ASCORA ASCORA ASCORA, PROLOG ASCORA, PROLOG 
Art. 37 Appointment of a data protection officer. UOL, MOVE, ASCORA, PROLOG UOL, MOVE, ASCORA UOL, MOVE, ASCORA, PROLOG UOL, MOVE, ASCORA, PROLOG ASCORA, PROLOG 
  1. List of the responsible data protection officers 

Data Protection Officer UOL:  

Ass. iur. Patrick Rüscher 

Phone: 0441 798-4196 

E-mail: [email protected] 

Postal address 

Carl von Ossietzky University of Oldenburg 

The Data Protection Officer 

Ammerländer Heerstraße 114-118 

26129 Oldenburg 

Data Protection Officer MOVE:  

x-tention Informationstechnologie GmbH 

Margot-Becke-Ring 37 

69124 Heidelberg 

Phone: +49 451 3101 1903 

E-mail: [email protected] 

Data Protection Officer ASCORA:  

Rafael Karbowski,   

Ascora GmbH,  

Birkenallee 43,  

27777 Ganderkesee 

E-mail: [email protected] 

Data Protection Officer PROLOG:  

ProLog, Therapie- und Lernmittel GmbH 

Oliver Schmid 

Olpener Str. 59 

51103 Cologne 

Phone: +49 221 66091 1932 

  1. Type of provision 

The information provided here as the “essence” of the agreement between the parties is made available to the parties concerned as follows:  

(1) Via a project website 

(2) At the request of the subjects as a printout and/or by e-mail