General Terms and Conditions

General Terms and Conditions of the Noerpel Group for Order Processing pursuant to Art. 28 GDPR


The Noerpel Group provides services in the field of logistics and comes into contact with personal data, which clients transmit to Noerpel to process the order.


1. Subject and duration of an order
The duration of this order (term) corresponds to the term of the service agreement we have concluded with you. The subject of the order results from the service agreement Noerpel has concluded with you. Should we process special personal data within the meaning of Art. 28 GDPR on your behalf, such as personal master data, communication data of your contact persons (e.g. telephone, e-mail address data), contract billing and payment data or customer data with full address, we adhere to the following regulations in our cooperation:


2. Ascertainment of the order contents
The contractually agreed data processing takes place exclusively in a member state of the European Union or in another state that is signatory to the Agreement on the European Economic Area. Any transfer of the processing services to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are met.


3. Technical and organisational measures
Prior to awarding the contract, Noerpel will carefully check the necessary technical and organizational measures prior to the start of processing when implementing the order. 


Noerpel will provide security in accordance with Art. 28 (3) lit. c and Art. 32 GDPR, in particular in conjunction with Art. 5 (1) and (2) GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection that is commensurate with the risk with regard to the confidentiality, integrity, availability and resilience of the systems. In doing so, the technological state of the art, the implementation costs and the type, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be taken into account (see Appendix - Technical and Organizational Measures).


The technical and organizational measures are subject to technical progress and further development. In this respect, Noerpel is permitted to implement alternative adequate measures. In doing so, the security level of the defined measures must not be undershot. Any material changes must be documented. In the event that Noerpel is to implement more far-reaching technical measures than those set out in Art. 28 (3) lit. c), the parties shall agree on the costs to be borne accordingly. Should the parties disagree on the costs, Noerpel will continue to implement the legally required status as before.


4. Rectification, restriction and erasure of data
Noerpel will not rectify, erase or restrict the data processed on behalf of the client without the client's consent, but only in accordance with the client's documented instructions. If a person concerned contacts Noerpel directly in this respect, Noerpel will immediately forward this request to the client and provide corresponding information regarding the processing thereof.

To the extent covered by the scope of services, the control model of the right to erasure, to be forgotten, rectification, data portability and information must be ensured directly by Noerpel in accordance with the documented instructions of the client.

5. Quality assurance and other obligations of the contractor
Noerpel also ensures the following requirements in accordance with Art. 28 to 33 GDPR:

  • Written appointment of a data protection officer who carries out his duties in accordance with Articles 38 and 39 GDPR.
  • This person's contact details will be communicated to the client to allow for direct contact. If the data protection officer changes, the client will be informed upon request. Otherwise the conditions will be updated.
  • Noerpel has currently appointed the following company as responsible agent for data protection:


steep GmbH
Arne Siegert, Ass. lur.

Data Protection / Consultant
Justus-von-Liebig-Straße 18
Tel: +49-228-6681-229
Tel: +49-151-40726567-,
Fax: +49-228-6681-77


as well as

Katrin Metz,

Data Protection Lawyer / Consultant

Tel: +49-228-6681-231

Tel: +49-176 16681 504

Fax: +49-228-6681-774


The protection of confidentiality pursuant to Articles 28 (3) sentence 2 lit. b, 29 and 32 (4) GDPR is guaranteed. In carrying out the work, Noerpel will only employ employees who are obliged to maintain confidentiality and have been familiarized beforehand with the relevant data protection provisions.  Any person who answers to Noerpel and has access to personal data will process these data exclusively in accordance with the instructions and authority of the client within the scope of the legal obligations and provisions.


Noerpel ensures the implementation and compliance with all technical and organisational measures required for this order in accordance with Articles 28 (3) sentence 2 lit. c and 32 GDPR [details in Appendix Technical - Organisational Measures].


Upon request Noerpel and the contractor shall cooperate with the supervisory authority in the fulfilment of their tasks.


Noerpel will immediately provide information on any control actions and measures taken by the supervisory authority in so far as they relate to this order. This also applies if a competent authority investigates the processing of personal data during order processing at Noerpel within the scope of administrative offence or criminal proceedings.


Insofar as Noerpel itself becomes the subject of inspection by the supervisory authority, of administrative offence or criminal proceedings, of liability claims of a person concerned or a third party or of any other claim in connection with the processing of the order by the contractor, the contractor shall support Noerpel to the best of its ability. Noerpel shall regularly monitor the internal processes as well as the technical and organisational measures to ensure that the processing that falls in its area of responsibility is carried out in accordance with the requirements of the applicable data protection laws and that the rights of the data subject are protected.


6. Subcontracting
For the purposes of this Regulation, subcontracting is defined as services which relate directly to the provision of the principal service. This does not include ancillary services which Noerpel uses, such as telecommunications services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. In order to guarantee data protection and data security of the client's data, Noerpel will, as far as possible, also insist on appropriate and legally compliant agreements and control measures in the case of outsourced ancillary services, insofar as this is reasonable.


7. Inspection rights of the client
The client has the right, in agreement with Noerpel, to carry out inspections or to have them carried out by inspectors to be appointed in individual cases against payment of an appropriate fee. The client has the right to convince itself of Noerpel's compliance with this agreement in its business operations by means of spot checks, which as a rule must be announced in good time.


Noerpel ensures that the client can make sure that Noerpel complies with its obligations in accordance with Art. 28 GDPR.


Noerpel can furnish proof of such measures, which do not only concern the concrete order, by means of

  • compliance with approved rules of conduct pursuant to Art. 40 GDPR;
  • certification according to an approved certification process in accordance with Art. 42 GDPR, if available;
  • current certificates, reports or extracts of reports from independent bodies (e.g. auditors, auditing departments, data protection officers, IT security department, data protection auditors, quality auditors);
  • a suitable certification through an IT security or data protection audit (e.g. IT baseline protection according to the BSI standard).


In order to enable the client to carry out spot checks on site, Noerpel may charge a fee, which it shall determine at its reasonable discretion.


8. Notification of infringements by the contractor
The Contractor shall support Noerpel in complying with the obligations set out in Articles 32 to 36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This entails, among other things,


  1. ensuring an adequate level of protection through technical and organizational measures which take into account the circumstances and purposes of the processing and the predicted probability and severity of a possible breach of rights by security breaches and which allow the immediate identification of relevant breach events
  2. the obligation to report any infringements of personal data to the client without delay
  3. the obligation to assist the client in its duty to inform the data subject and, in this context, to make all relevant information available to the data subject without delay
  4. assisting the client with its data protection impact assessment
  5. assisting the client in prior consultations with the supervisory authority

Noerpel may claim compensation for support services which are not included in the performance specification or which are not attributable to misconduct on the part of Noerpel.


9. Authority of the client to issue instructions
Noerpel will confirm verbal instructions within a reasonable period of time (at least in text form).


Noerpel must inform the client immediately if the client is of the opinion that an instruction violates data protection regulations. Noerpel shall be entitled to suspend the execution of the corresponding instruction until it confirms a legally compliant change by the client.


10. Erasure and return of personal data
No copies or duplicates of the data will be made without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory storage obligations.


Upon completion of the contractually agreed work or earlier at the client's request – at the latest upon termination of the service agreement - Noerpel shall hand over to the client all documents, processing and usage results as well as data stocks which have come into its possession and which are connected with the contractual relationship, or destroy them in accordance with data protection regulations after prior approval. The same applies to test and discarded material.


Documentations which serve as proof of orderly and proper data processing shall be stored by Noerpel beyond the end of the contract in accordance with the respective retention periods in order to fulfil further legal obligations. Insofar as compliant with legal requirements, Noerpel can hand them over to the client at the end of the contract to be relieved of the burden.


11. Liability
Noerpel shall only be liable for intentional or grossly negligent infringements against the client. The annual liability shall be limited to the sum of the individual order. Any further claims for damages are excluded.

12. Final provisions
Noerpel reserves the right to change these terms and conditions if legal requirements and conditions change. In the event that Noerpel has to disclose personal data of the client due to measures taken by third parties, Noerpel will only do so, if there is no legal authorisation to do so, upon consultation of the client, otherwise Noerpel will notify the client.


Appendix – Technical and organisational measures

  • Preamble
    The security measures listed here apply to all companies of the Noerpel Group. They represent the minimum standard for all our branches. Notwithstanding the following, we have implemented further technical and organisational measures in individual locations that go beyond this standard to ensure the security of your data and to protect your person, in order to be able to guarantee absolute confidentiality. If you have any further questions about our security measures, please feel free to contact us at any time.


1. Confidentiality, Art. 32 l b) GDPR

  • Physical access control
    No unauthorised access to data processing systems, security locks and keys, chip cards or transponder locking systems, electric door openers, reception and gatekeepers, access regulations for persons outside the company (registration and ID card obligation), alarm systems, video surveillance of the area.
  • System access control
    No unauthorised system use, rules about secure passwords and password management, automatic locking of devices, encryption of mobile data carriers and devices, use of central smartphone administration software.
  • Data access control
    No unauthorised reading, copying, modification or removal within the system through authorization control model and demand-oriented and purpose-oriented access rights, logging of access to folders and data, proper destruction of all data carriers, always up-to-date virus protection, firewalls, the latest software and regular updates.
  • Separation control
    Separate processing of data collected for different purposes (logical client separation), separation of productive and test systems.

2. Integrity, Art. 32 l b) GDPR

  • Transfer control
    No possibility of taking company data by blocking external interfaces (USB ports etc.), use of virtual private network technology, dedicated authorization control model for passing on information and data, obligation of all employees to maintain confidentiality.
  • Input control
    Keeping a log about whether and by whom personal data are entered, changed or removed in data processing systems, role- and rights-based control model for entering, changing and deleting data.


3. Availability and resilience, Art. 32 l b) GDPR

  • Availability control
    Protection against loss through backup strategy and recovery plan, creation of backup copies, reporting channels and contingency plans.
  • Resilience control
    Conducting regular resilience tests.

4. Procedures for periodic review, assessment and evaluation, Art. 32 l d) 25 l GDPR)

  • Data protection management, external data protection officer, order control within the scope of order data processing in accordance with Art. 28 GDPR (no order data processing without corresponding instructions from the client, through clear contract drafting, formalised order management, strict selection of the service provider, vetting duty, checks during the assignment).