Welcome to Würth Germany  
  1. Home
  2. Conditions

ORSY®ONLINE AGREEMENTS

The following agreements between you (Client) and Adolf Würth GmbH & Co. KG (Contractor) govern the use of the Würth ORSY®online software (ORSY®online).

 

I. Utilisation agreement

1. The Contractor is the owner of the rights to the ORSY®online software, which provides the Client with a solution for recording, managing and organising its operating resources and inspection schedule.

2. The use of the web application includes the mobile use of the ORSY®online app for the Android (Google) and iOS (Apple) operating systems.

3. Access to the Würth online shop is required to use ORSY®online.

4. Up to four additional customer numbers for the same Client can be assigned to a user account.

5. Users registered as a guest in the ORSY®online app may only view the information and configuration of W-CONNECT products. These users may run the app on only one mobile device for each telephone number. If the phone number is used to log in on another mobile device, the user is logged out on the original mobile device.

6. The ORSY®online utilisation agreement is concluded for an indefinite period of time. This can be cancelled in writing with four weeks’ notice to the end of a contract year.

7. The Contractor endeavours to achieve a 98.5% availability averaged over the calendar year when the software is transferred. Availability means that the affected service or web application is ready for operation at the service transfer point (router output in Würth’s data centre).

8. Additionally, the General Terms of Sale, Delivery and Payment of Adolf Würth GmbH & Co. KG applies.

9. Any alterations and amendments hereto must be made in writing.

10. With respect to the processing of data in ORSY®online by Adolf Würth GmbH & Co. KG acting on behalf of the customer, the parties conclude the following agreement on the handling of assignments.

 

II. Agreement on handling assignments

1. Subject matter and duration of the assignment

1.1 Subject

Processing assignment centres on the performance of the following operations by the

Contractor:

The Client’s use of ORSY®online to perform the following tasks assigned by the Contractor:

  • processing of product master data
  • processing of personal master data
  • processing of product usage and sensor data
  • processing of the mobile device’s master data and of connection data between products, app and cloud for the provision of functionality, (remote) maintenance and support purposes

1.2 Duration

The duration of this assignment processing contract (term) corresponds to the duration of the service listed under 1.1.

 

2. The actual content of the assignment

2.1 Type and purpose of the intended data processing

A more detailed description of the assignment’s subject matter with respect to the type and purpose of the Contractor’s tasks:

ORSY®online is designed as a cloud application that can be used via electronic end devices (e.g. tablets and smartphones, notebooks) in a browser or the ORSY®online app (referred to hereinafter as “app”). The user receives at a glance information on master data, the storage location and the maintenance and repair dates (and history) of a product/resource. The user hands over and forwards the products/resources using an electronic end device (e.g. smartphone). The user is assigned by means of the QR label or NFC tag affixed to the product/resource.

The products/resources bearing the QR labels and NFC tags and the linked personal data are stored in the software.

W-CONNECT products can be added to the account in the app. The location and data of previously added products can then be viewed on mobile devices and the website. The app or a gateway can identify W-CONNECT products via Bluetooth and retrieve usage and sensor data pertaining to the products, such as the battery status. In addition, the app and gateways can forward the data of all products within Bluetooth range securely and in encrypted form to the Würth ORSY®online Resource Management Cloud (referred to hereinafter as ”cloud”). The app uses the mobile device’s location to locate the products. The gateway uses its own location for this.

The consumables scan serves to retrieve settings recommended for W-CONNECT products. This involves exchanging the consumables’ master data between the app and the cloud. These queries are processed in anonymised form by the Contractor for the purpose of refining its products.

Access to the mobile device’s camera is required to scan consumables and add your own images to a product. Images added by users are saved on the mobile device and uploaded to the cloud for all users with the same customer number. It is possible to grant the app access to the mobile device’s photo gallery. In this case, the app only processes the photos added to the app and uploads them to the cloud for sharing among all users with the same customer number.

We analyse the devices’ usage data in order to offer you services that can make your daily work easier (e.g. to offer products tailored to your work). We also analyse usage and sensor data in order to improve our products.

In the case of Würth products, ORSY®online can also be used to place a repair order in the Würth Masterservice, together with a variable collection and return address. ORSY®fleet fleet devices in particular can be used to order customised labels, extend an ORSY®fleet contract and, by providing the police report, initiate a theft or loss report.

By contacting us for support purposes, you permit us to access your data stored in the cloud for the purpose of processing your enquiry.

The processing of personal data regulated herein takes place exclusively in an EU member state or other EEC member state. Every outsourcing to a third country requires the Client’s prior consent and is permitted only when the particular requirements under Art. 44 ff of the EU GDPR have been met.

2.2 Data categories

The processing of personal data may involve the following data types/categories. We distinguish between data that is processed for the basic functions of ORSY®online and data that is processed for the add-on modules within the ORSY®online app.

Processing for the basic ORSY®online functions

Using our app for mobile devices and/or the browser application may cause e.g. the following data to be processed:

  • login details
  • first name, last name
  • e-mail address
  • address
  • selected country and language
  • authorisation role
  • senior staff
  • telephone number
  • e-mail address
  • history of changes to personal master data
  • number of resources/products
  • registration number/papers of motor vehicles
  • allocation of resources to locations and employees
  • server log files (e.g. access time and mode, IP address and any error events)
  • end device’s master data (model, operating system and browser version)
  • selection of / consent to general terms and conditions, assignment processing contract, consent status
  • photos taken with the app’s or mobile device’s camera function

Processing of data with ORSY®online add-on modules

  • Qualification of employees (e.g. certificates, instructions, documents, instruction timetable, driving licence)

Processing of data with W-CONNECT products

  • Usage and sensor data pertaining to products
  • Connection data between products, app and cloud (Bluetooth and Internet)
  • GPS-based positioning data

2.3 Categories of data subjects

Categories of data subjects include

  • customers
  • customers’ employees
  • customers’ former employees
  • Other persons working for customers’ companies, including sub-contractors and similar

 

3. Technical and organisational measures

Prior to processing, the Contractor must document the implementation of technical and organisational measures presented and required in the run-up to contract award, in particular with respect to the actual performance of the assignment, and hand this documentation over to the Client for review [details in the annexed “Technical and organisational measures (TOM) pursuant to Art. 32 EU GDPR”]. When accepted by the Client, the documented measures provide the basis for the assignment. Any adjustments resulting from the Client’s review/audit must be implemented by mutual consent.

The Contractor must establish security pursuant to (c) of Art. 28(3), Art. 32 EU GDPR, in particular in conjunction with Art. 5(1) and (2) EU GDPR.

These measures taken as a whole are data security measures and are to safeguard a level of protection appropriate to the risk affecting confidentiality and system integrity, availability and reliability. These must consider the state of the art, the costs of implementation, the type, extent and purpose of processing and the varying likelihood and severity of risks affecting the rights and freedoms of natural persons as defined under Art. 32(1) EU GDPR.

Technical and organisational measures are subject to the progress and evolution of the pertinent technologies. In this respect, the Contractor is entitled to implement alternative measures of adequate effect. However, the level of protection safeguarded by the stipulated measures must not be undercut. Essential changes must be documented.

 

4. Enquiries and rights of data subjects

4.1 The Contractor supports the Client to an appropriate extent in the fulfilment of the latter’s obligations under Art. 12–22, 32 and 36 EU GDPR. The Contractor may not disclose, rectify, delete or restrict processing on the assigned data without prior documented instructions issued by the Client. If a data subject refers directly to the Contractor in this matter, the Contractor immediately forwards this request to the Client.

4.2 The Client ensures that it discharges its obligations with respect to the data subjects. This includes, for example, safeguarding the lawfulness of processing pursuant to Art. 5 ff GDPR and the fulfilment of information obligations pursuant to Art. 12 ff GDPR. In addition, the Client may provide the Contractor with information on how the former must provide the data subject with the information stipulated under Art. 12 ff GDPR.

 

5. Data Protection Officer representing the Contractor

You can contact our Data Protection Officer at datenschutz@wuerth.com.

 

6. Responsibilities and permitted use

6.1 Pursuant to Art. 4(7) GDPR, the Client is responsible for the processing of assignment data commissioned within the scope hereof. The Client is fully and solely responsible for compliance with the applicable data protection laws, including, but not limited to the assessment and definition of permissible purposes and a permissible legal basis for the processing of assignment data commissioned by the controller hereunder. This may also include the formulation of a declaration of consent and the circumstances in which the declaration of consent is obtained from the authorised users (see 6.2.), if and insofar as the controller deems this necessary.

6.2 The Client takes appropriate measures to ensure that only its employees or other third parties commissioned by it (referred to hereinafter as “authorised users”) can use the W-CONNECT components and that no unauthorised persons have access to the same. The Client is obliged to inform the Contractor immediately of any unauthorised access.

6.3 The Client is not authorised to transfer or otherwise grant any rights to use W-CONNECT components subject hereto, nor may it sell or otherwise forward these, with or without limitations on time or content. W-CONNECT components remain subject hereto whenever and for as long as the Client has linked them to its account. If the Contractor intends to forward W-CONNECT components, the Client must beforehand delete the link between the respective W-CONNECT component and the Client’s account before forwarding it to third parties. All of the Client’s other rights remain unaffected by the obligation to delete the link prior to the forwarding of W-CONNECT components.

 

7. Further Client and Contractor obligations

7.1 The Contractor safeguards confidentiality pursuant to 2(b) of Art. 28(3), Art. 29, Art. 32(4) EU GDPR. When performing its work, the Contractor may only deploy employees who have been obliged to maintain confidentiality and familiarised beforehand with the relevant data protection requirements. The Contractor and every person reporting directly to the Contractor and granted access to personal data may process these data exclusively in accordance with the instructions issued by the Client, including the powers conferred hereby, unless they are obliged to process these data by law.

7.2 The Client and the Contractor agree on the implementation of and adherence to all technical and organisational measures required for this assignment pursuant to 2(c) of Art. 28(3), Art. 32 EU GDPR.

7.3 When performing their tasks, the Client and Contractor cooperate with the supervisory authority upon request. This includes immediate information provided by the Client on any audit activities and measures by the supervisory authority, provided these affect this assignment. This also applies when an assigned authority investigates the Contractor as part of an offence or criminal proceedings with respect to the processing of personal data regulated herein.

7.4 If the Client itself becomes subject to audits by a supervisory authority, as part of an offence or criminal proceedings, to liability claims filed by a data subject or third party or to another claim in connection with the Contractor’s processing of data regulated herein, the Contractor must support the Client to the best of its ability.

7.5 The Contractor examines at regular intervals the internal processes and the technical and organisational measures for the purpose of ensuring that the processing of data lying within its scope of responsibility complies with the requirements of the applicable data protection laws and that the rights of the data subject remain unviolated.

 

8. Sub-contractual relations

8.1 Sub-contractual relations as defined herein are those services that refer directly to the provision of the main service. This does not include additional services utilised by the contractor, e.g. telecommunication services, mailing/transportation services, maintenance and user services or the disposal of data storage devices and other measures safeguarding confidentiality, availability, integrity and reliability of data processing hardware and software. However, the Contractor is obliged to make adequate contractual agreements and take audit measures in compliance with legal requirements to safeguard the protection and security of the Client’s data, also in the event of outsourced additional services.

8.2 The Client agrees to commission the following sub-contractors under the condition of a contractual agreement pursuant to the requirements under Art. 28(2–4) EU GDPR:

Sub-contracting company Address/country Service
Würth IT GmbH Industriepark Würth
Drillberg 6
97980 Bad Mergentheim
Germany
  • hosting, administration and maintenance of server, storage, backup and network components
  • support services
Rubinlake GmbH MesseTurm
Friedrich-Ebert-Anlage 49
60308 Frankfurt am Main
  • administration and maintenance of the SMS server and W-CONNECT functionalities
  • support services
Stoll von Gáti GmbH Haller Str. 187
74564 Crailsheim
  • administration and maintenance of the app for mobile devices and browser version

8.3 Outsourcing to other sub-contractors or contracting new sub-contractors is permitted when:

  • the Contractor has notified the Client adequately in advance, in either writing or some other text form, of this outsourcing to sub-contractors and
  • the Client has not submitted to the Contractor its objection, in either writing or some other text form, to this planned outsourcing within thirty days of this notification and
  • it is based on a contractual agreement as defined under Art. 28(2–4) EU GDPR.

When the Client has a legitimate reason under the data protection laws to object to the processing of personal data by the new sub-contractors, it may terminate the agreement in the form of a written declaration issued to the Contractor with effect from a date specified by the Client, but no later than thirty days after the date on which the Contractor notified the Client of the new sub-contractor. If the Client fails to terminate within this period of 30 (thirty) days, the new sub-contractor is deemed approved by the Client.

8.4 The subcontractor may not access the personal data managed by the Client and may not commence its contracted operations until all of the sub-contracting requirements have been met.

8.5 When the sub-contractor performs its assigned service outside of the EU/EEC, the

Contractor implements the corresponding measures to safeguard compliance with the data protection laws. The same applies when service providers are to be deployed as specified under 2 of (1).

 

9. Client’s audit rights

9.1 The Client is granted the right, with the Contractor’s consent, to conduct reviews or to have these conducted by auditors that are appointed from case to case. The Client is granted the right to conduct spot checks, following notice submitted adequately in advance, for the purpose of verifying the Contractor’s adherence hereto on its own premises.

9.2 The Contractor ensures that the Client is in a position to verify the latter’s fulfilment of its obligations pursuant to Art. 28 EU GDPR. The Contractor is obliged to provide the Client with the necessary information and in particular to verify the compliant implementation of the technical and organisational measures.

9.3 Measures affecting not only the actual assignment may be verified in the form of

  • compliance with approved rules of conduct as specified under Art. 40 EU GDPR,
  • certification by means of procedures approved under Art. 42 EU GDPR,
  • recent attestations, reports or extracts thereof issued by independent bodies (e.g. external auditors, auditing department, data protection officers, IT security department, data protection auditors, quality auditors),
  • adequate certification verified by an IT security or data protection audit (e.g. approved by the Federal Office for Information Security).

9.4 The Client must announce inspections adequately, but no later than 60 (sixty) days in advance.

9.5 Within a period of two years, the Client is granted the right to conduct an inspection during which the Contractor may not claim remuneration for the provision of personnel. If the Client wishes to conduct further inspections within this period, the Contractor may issue a claim for remuneration to the amount of €125 for each hour in which the Contractor provides personnel to carry out the inspection.

9.6 In justified individual cases, in particular in the event of essential changes to the processing activity, of the agreed technical and organisational measures or of incidents relevant to data protection, the Client is granted the right to further inspections free of charge. The Client must state the reasons for this measure. The Contractor considers the reasons stated by the Client to an appropriate extent when deciding to facilitate additional inspections free of charge.

 

10. Contractor’s obligation to provide support and notification in the event of violations

10.1 The Contractor supports the Client in fulfilling its duties affecting the security of personal data listed under Art. 32–36 EU GDPR and its obligations to report data breaches and to prepare and issue data protection impact assessments. This includes, for instance,

  • safeguarding an adequate level of protection by means of technical and organisational measures based on the circumstances and purposes of processing and on the predicted likelihood and severity of a possible legal infringement in the form of vulnerabilities and allowing for the immediate identification of relevant infringement incidents,
  • the obligation to report personal data breaches immediately to the Client,
  • the obligation to support the Client in its obligation to inform the data subject and to provide it with all relevant information immediately,
  • supporting the Client in its data protection impact assessments,
  • supporting the Client during prior consultations with the supervisory authority

10.2 The Contractor may claim remuneration for support services not included in the service agreement or due to misconduct on the Client’s part.

 

11. Client’s authority to issue instructions

11.1 The Client confirms oral instructions immediately (at least in text form).

11.2 The Contractor informs the Client immediately the Contractor believes an instruction infringes data protection requirements. The Contractor is entitled to suspend the execution of the affected instructions until they have been confirmed or modified by the Client.

 

12. Erasure and return of personal data

12.1 Data may not be copied or otherwise duplicated without the Client’s knowledge. This does not apply to backups, provided that they serve to ensure regular data processing, nor to data required for complying with legal retention periods.

12.2 On completion of the work agreed herein, or earlier when the Client requests this, yet no later than termination of the service agreement, the Contractor must destroy all documents transferred to its possession, all generated processing and usage results and all databases in connection with the contracted assignments. At the Client’s request, the Contractor may as an alternative hand over these data.

12.3 Documentation serving to verify due, compliant data processing must be retained by the Contractor for the periods stipulated following the end of contract. At the end of contract, for exoneration purposes, the Contractor may also hand over this documentation to the Client.

 

13. Liability

13.1 The Client and the Contractor are liable with respect to data subjects as specified under Art. 82 GDPR. The Contractor consults with the Client on a possible fulfilment of liability claims.

13.2 The parties exempt each other from liability when and insofar as a party can verify that it is not responsible in any manner for the circumstance that caused the damage to a data subject, in particular the Client exempts the Contractor from any third-party claims and/or fines imposed on the grounds of the Client’s breach of its obligation to delete the linking of W-CONNECT components with its account as defined under 6.3.

13.3 In all other respects, Art. 82( 5) GDPR applies.

13.4 Unless stipulated otherwise in the above, the liability hereunder corresponds to the liability under the service agreement.

 

14. Final provisions

14.1 The parties agree that the Contractor may not exert its right of retention as defined under § 273 BGB to submit an objection affecting the data transferred for processing and its carriers.

14.2 Any amendments and additions hereto must be made in writing. This also applies to the provision stipulating the written form. The priority of separate contractual agreements remains unaffected thereby.

14.3 Should any provisions hereunder or any part thereof be or become invalid or unenforceable, this does not affect the validity of the remaining provisions.