Order processing My Pixelart

When ordering the individualized items My Pixelart craft set and event, personal data is collected during the ordering and delivery process
The contractor processes data on behalf of the client (order processing). 
This appendix specifies the data protection obligations of the contracting parties that arise from the order processing described. It applies to all activities that are related to and in which employees of the contractor or by the contractor
Process commissioned personal data (hereinafter referred to as data) of the client.

The definition
For all terms mentioned in this agreement for which Article 4 of the General Data Protection Regulation (hereinafter GDPR) provides a definition, this legal definition also applies to this contract.

§ 1 Subject and duration of the order
(1) The subject matter and duration of the order as well as the type and purpose of the processing result from the time required to process the order. In addition, a period of 30 days should damage occur during delivery and new production becomes necessary. 

§ 2 Obligations of the contractor
(1) The contractor and every person subordinate to him who has access to personal data may process data of data subjects exclusively within the scope of the order and instructions of the client, unless there is an exceptional case within the meaning of Article 28 paragraph 3 a) GDPR. In such a case, the
The contractor informs the client of these legal requirements before processing, unless the relevant law prohibits such communication due to important public interest.
a. The contractor informs the client immediately if he
is of the opinion that an instruction violates applicable laws.

(2) The contractor will design the internal organization within his area of ​​responsibility in such a way that it meets the special requirements of data protection. He will take technical and organizational measures to adequately protect the client's data, which meet the requirements of data protection regulations.
Basic Regulation (Art. 32 GDPR) are sufficient. The contractor must take technical and organizational measures that ensure the long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing.

(3) The contractor supports the client in his area of ​​responsibility and, as far as possible, by means of suitable technical and organizational measures in answering and implementing requests from data subjects with regard to their data protection rights. He may not access, port, correct, delete or restrict the processing of the data processed in the order, but only in accordance with documented instructions from the client.
If a data subject contacts the contractor directly in this regard, the contractor will immediately forward this request to the client.

§ 3 Obligations of the client
(1) The client must inform the contractor immediately and completely if he discovers errors or irregularities in the order results with regard to data protection regulations.

(2) As the person responsible, the client must ensure that the data processing taking place takes into account the requirements of the GDPR. This includes, among other things, the lawfulness of the data processing (in particular the legal basis for the processing according to Art. 6 GDPR) itself as well as the provision of information to the third party concerned (according to Art. 13 and 14 GDPR). This is particularly important in cases where the uploaded images contain personal data of third parties.