about the
order processing

This text has been translated automatically. For a correct version, please go to the German page.

Contract on commissioned processing in accordance with Art. 28 of the General Data Protection Regulation (GDPR)


the (natural or legal) person who
uses the automated creation of transcripts (hereinafter “speech recognition”)

hereinafter: “responsible person”


audiotranskription – dr. dresing & pehl GmbH – Deutschhausstrasse 22a – 35037 Marburg – Germany
CEO: Dr. Thorsten Dresing and Thorsten Pehl
Phone: +49 6421 590979-0          E-Mail:

hereinafter: „audiotranskription“,

the responsible person and audiotranskription hereinafter jointly: “parties”.


The parties have entered into a contract for the provision of transcription services of audio files (hereinafter: “Main Contract”).

The contract applies exclusively to the beta phase and ends on 13.10.2019 with the deletion of the account and all data of the responsible person.

Due to the automated transcription, audiotranskription will generally not obtain knowledge of the content of the audio data provided by the responsible person. However, in the context of the transcription process and hosting, it is at least technically not impossible that access will occur. Even if access were to occur, audiotranskription is generally unable to link the audio data to a specific person. This would generally only be the case if, for example, the persons involved were named in an interview.

Since for this reason the identification of a natural person and thus the processing of personal data cannot be ruled out, the parties conclude this contract on commissioned processing (hereinafter: “Contract”) and thereby concretize the obligations of the parties regarding data protection, which result from the main contract. The agreement shall apply to all activities related to the main agreement in which audiotranskription, its employees or persons commissioned by audiotranskription may come into contact with personal data of the data controller.

Contact persons for data protection issues

The parties agree on the following persons who are contactable and authorized to give instructions or receive data protection issues arising under the contract:

  • on the part of audiotranskription: Dr. Thorsten Dresing and Thorsten Pehl (Management dr. dresing & pehl GmbH)
  • on the part of the responsible person: the person stored in the user account.

In urgent cases, however, the responsible person may also issue instructions to all other audiotranskription employees, for example, if the aforementioned persons are not available to the responsible person.

A change in the persons authorized to give or receive instructions or their permanent inability to do so must be notified by the parties in writing as soon as possible, stating the contact details of the new person(s) authorized to give or receive instructions. Until receipt of such notification, the designated persons shall continue to be deemed authorized to issue instructions or receive data for all data protection issues.

Subject of the processing (Art. 28 (3) p. 1 GDPR)

audiotranskription processes personal data on behalf of the controller in order to fulfill its contractual obligations to the controller. The subject of the processing is the automated transcription of audio files into text files. Details result from the main contract as well as from Annex 1.

Duration of the processing (Art. 28 (3) p. 1 GDPR)

The duration of the contract results from the main contract. Termination of the main agreement shall automatically result in termination of this agreement. The responsible person may terminate the main agreement extraordinarily at any time if audiotranskription violates data protection regulations or the provisions of this agreement, in particular if audiotranskription fails to carry out an instruction of the responsible person.

Nature, scope and purpose of the processing (Art. 28 (3) p. 1 GDPR)

The responsible person can upload audio files to a server via a software client (f4transcript or web browser) as part of the main contract. There, the voice files are automatically converted into a text. The generated text is displayed to the responsible person in the software client, where it can be further processed locally. All data uploaded to the server will be deleted after transcription and transfer to the software client. Details can be found in the main contract and in Appendix 1.

Type of personal data (Art. 28 para. 3 p. 1 GDPR)

The audio files submitted for transcription by the responsible person can potentially contain all kinds of personal data, in particular personal master data (e.g. name, address, telephone number and e-mail address), depending on an interview topic, for example. For this reason, an exhaustive list is not possible here. The data controller shall name at least the basic (expected) types of data subject data in Annex 4, especially if special categories of personal data are involved.

Categories of data subjects (Art. 28 (3) p. 1 GDPR)

The processing concerns all persons included on the audio files uploaded by the data controller, i.e. the speaking or identifiable persons and persons referred to within a conversation. The data controller shall name at least the basic categories of data subjects in Annex 4.

Rights and obligations of the responsible person (Art. 28 (3) p. 1 GDPR)

The rights and obligations of the data controller arise from the main contract and this contract. In the event of a claim against audiotranskription by a data subject pursuant to Art. 82 GDPR, the responsible person shall support audiotranskription to an appropriate extent.

Processing of personal data only on documented instruction (Art. 28 para. 3 p. 2 lit. a GDPR)

audiotranskription shall process personal data of the data subject only in accordance with the main agreement and the provisions contained in this agreement and upon documented instruction of the data subject. This applies in particular to the transfer of personal data of the responsible person to a person or organization in a third country or to an international organization. For the purpose of documenting the instructions, audiotranskription shall keep a register which shall be presented to the data controller upon request.

Instructions from the responsible person that go beyond the previous (main) contractual provisions or modify them should generally be given in writing or text form. If necessary, the responsible person may also issue instructions orally or by telephone. However, instructions given orally and by telephone require immediate confirmation in writing or text form by the person authorized to give instructions to the responsible person as specified in Section 1 of this Agreement.

Insofar as instructions are unclear or misleading from audiotranskription’s point of view, he/she shall immediately inform the data controller in writing and obtain clarification. audiotranskription shall be entitled to suspend the execution of the instruction until the data controller confirms or amends the instruction after giving prior notice to the data controller in due time.

audiotranskription may also process personal data of the data controller if an obligation exists under the law of the European Union or a Member State (Art. 28 para. 3 p. 2 lit. a GDPR). In this case, audiotranskription shall notify the data controller of such legal requirements, unless the law in question prohibits such notification due to an important public interest.

Obligation of engaged persons (Art. 28 (3) p. 2 lit. b GDPR)

audiotranskription shall require persons employed or authorized to process the personal data to maintain confidentiality and data secrecy in advance or shall ensure that they are subject to an appropriate statutory duty of confidentiality with regard to the personal data. audiotranskription shall also ensure that the aforementioned obligations continue to apply after termination of this agreement.

Technical and organizational measures (Art. 28 (3) p. 2 lit. c GDPR)

audiotranskription shall design its internal organization in such a way that it meets the special requirements of data protection. audiotranskription shall take technical and organizational measures to adequately protect the data of the persons responsible that meet the requirements of data protection law. These result in particular from Art. 32 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR shall be taken into account. The specific measures taken are documented in Annexes 1 and 2.

audiotranskription ensures to comply with its obligations under Art. 32 (1) (d) GDPR and to implement a procedure to regularly review, assess and evaluate the effectiveness of the technical and organizational measures to ensure the security of the processing.

Technical and organizational measures are subject to technical progress and further development. For the duration of this Processing, audiotranskription shall continuously adapt and further develop the technical and organizational measures to the requirements of this Agreement. The level of protection agreed here and in Annex 2 may not be undercut in the process.

Involvement of subcontracted processors (Art. 28 (3) p. 2 lit. d GDPR)

The data controller agrees that audiotranskription may use the sub-processors listed in Annex 3 for the processing of the data controller’s personal data.

audiotranskription shall inform the data controller in advance of any intended commissioning of additional sub-processors or changes to existing commissions. The Responsible Individual has the right to object to the engagement of new Subprocessors or the modification of existing engagements. Such notice shall be given in sufficient time to permit the Responsible Individual to exercise such right of objection with reasonable time for consideration prior to the intended change.

If audiotranskription uses the services of a sub-processor named in Annex 3 or of another sub-processor for the processing of Personal Data of the Controller, it shall impose on the sub-processor in advance, by contract or by another applicable legal instrument under the law of the European Union or of the Member State concerned, the same data protection obligations as those laid down between it and the Controller in that contract or by another applicable legal instrument under the law of the European Union. In doing so, it shall in particular ensure that the Controller is granted its own control rights and that the Sub-processor provides sufficient guarantees that appropriate technical and organizational measures are in place and implemented in such a way that the processing is carried out in accordance with the requirements of data protection law and this contract.

Place of processing

The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior written consent of the data controller and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.

Support of the data controller in fulfilling data protection obligations (Art. 28 (3) p. 2 lit. e and f GDPR)

audiotranskription shall assist the controller to the best of its ability in responding to inquiries and claims by data subjects pursuant to Chapter III of the GDPR. audiotranskription shall not respond to requests for information and other requests by data subjects itself, but shall refer the data subjects to the controller in this respect.

audiotranskription supports the data controller in the responsibility of complying with the obligations set out in Art. 32 to 36 GDPR, e.g. security of processing, notification of data breaches to supervisory authorities, notification of data subjects about data breaches, data protection impact assessment obligations and coordination with the data protection supervisory authority.

Deletion and return of data after completion of processing (Art. 28 (3) p. 2 lit. g GDPR)

If an error occurs during the upload, e.g. due to an unrecognized file format or the connection being terminated, the incomplete audio file is immediately deleted from the server. The person responsible will then receive a corresponding notice.

The transcribed data can be downloaded by the responsible person from the server provided by audiotranskription. As soon as the server receives the message about the successful download, the file is finally deleted from the server.

If a transcription result is not collected after 14 days, the responsible person will receive a notice by e-mail. If this notice remains unanswered or no download is made by the responsible person, the responsible person will receive a second reminder after another 7 days. If the deadline for collection of a further 7 days specified therein expires, the data will be deleted and the responsible person will be informed of this by e-mail.

audiotranskription shall create a server log of any deletion or destruction of data, which must be presented to the responsible person upon request.

Documentation that serves as proof of orderly and proper data processing or legal retention periods shall be retained by audiotranskription beyond the end of the contract in accordance with the respective retention periods.

Data protection obligations of audiotranskription, proof and control rights (Art. 28 (3) p. 2 lit. h GDPR)

The data controller shall satisfy himself/herself as to the technical and organizational measures taken by audiotranskription prior to commencing data processing and thereafter on a regular basis. To this end, he/she may, in particular, obtain information from audiotranskription, obtain existing certificates from an expert and inspect the data processing systems used to process his/her data or have them inspected by third parties commissioned by audiotranskription.

audiotranskription shall regularly monitor the technical and organizational measures taken and shall appoint a data protection officer to the extent audiotranskription is legally obliged to do so. The contact details of the data protection officer or officer shall be communicated to the person responsible upon conclusion of the contract and thereafter without delay in the event of any change.

audiotranskription shall maintain the register of processing activities pursuant to Art. 30 GDPR and shall make it available to the Controller upon request.

audiotranskription shall provide the Controller with all information necessary to prove compliance with its contractual and legal obligations as audiotranskription. audiotranskription shall permit and enable the Controller and persons commissioned by the Controller to carry out appropriate checks – including inspections – during audiotranskription’s normal business hours (with the exception of public holidays in Germany: Mondays to Fridays between 08:00 and 15:00) and shall contribute to such checks to an appropriate extent. Should the person commissioned by the responsible person to carry out the verification be in a competitive relationship with audiotranskription, audiotranskription shall have a right of objection.

If the responsible person commissions a third person to carry out the inspection, the responsible person shall oblige the third person to maintain secrecy and confidentiality, unless this person is subject to a professional confidentiality obligation. At the request of audiotranskription, the responsible person shall submit the obligation agreement to audiotranskription without delay.

If an inspection is required, the responsible person shall inform audiotranskription in good time (generally at least two (2) weeks in advance) of all circumstances relating to the performance of the inspection. macos/deepLFree.translatedWithDeepL.text

Information about instructions that violate data protection (Art. 28 (3) sentence 3 GDPR)

If audiotranskription is of the opinion that an instruction of the responsible person violates the main agreement and/or this agreement and/or applicable data protection law, audiotranskription shall notify the responsible person thereof without delay.

Correction, deletion and blocking of data

audiotranskription shall not correct or block any personal data of the data controller unless instructed to do so by the data controller. The destruction of data carriers and other materials in compliance with data protection regulations shall be carried out by audiotranskription on the basis of an individual order by the responsible person, unless this has already been agreed in the contract or main contract.

Breach notification (Art. 33(2) GDPR)

audiotranskription shall inform the data controller without delay in the event of the possibility of unlawful acquisition of personal data by third parties or in the event of other serious breaches by audiotranskription or the persons employed by audiotranskription within the scope of the contract of regulations on the protection of personal data of the data controller or stipulations made in this contract. audiotranskription shall take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects and shall consult with the data controller without delay in this regard. The aforementioned notification obligation shall always apply if the possibility cannot be ruled out that the breach will lead to a notification obligation on the part of the responsible person pursuant to Article 33 of the GDPR or a corresponding regulation.

audiotranskription shall report any personal data breach within the meaning of Art. 4 No. 12 GDPR to the responsible person pursuant to Art. 33 Para. 2 GDPR without undue delay.


If third parties assert claims against audiotranskription for violation of data protection provisions based on a violation by the responsible person of data protection provisions or of the provisions of the contract, the responsible person shall assume the defense of the legal dispute at its own expense and shall indemnify audiotranskription against all claims as well as the reasonable costs of legal prosecution upon first request. audiotranskription shall inform the responsible person without undue delay of the relevant claim letters of third parties and – to the extent possible – grant the responsible person the authority to defend itself against the claims.


Unless otherwise stipulated in the main agreement, all services provided by audiotranskription under this agreement shall be compensated for with the remuneration in accordance with the main agreement.

Standard contractual clauses for commissioned processing contracts

Should the EU Commission or the competent supervisory authority develop standard contractual clauses for commissioned processing contracts in accordance with Art. 28 (7) and (8) GDPR, the parties will agree on a possible adaptation or replacement of the contract.

Further support and information obligations of audiotranskription

In the event of a claim against the responsible person by a data subject pursuant to Art. 82 GDPR, audiotranskription shall support the responsible person to an appropriate extent.

Should the data of the data controller at audiotranskription be jeopardized by attachment or seizure, by insolvency or composition proceedings, by requests for disclosure in connection with legal proceedings or by other events or measures of third parties, audiotranskription shall inform the data controller thereof without undue delay. audiotranskription shall inform all data controllers in this context without undue delay that sovereignty and ownership of the data rests exclusively with the data controller.

For the aforementioned information and support services, audiotranskription shall receive separate remuneration in accordance with audiotranskription’s currently valid price list.

Applicable law / place of jurisdiction

German law shall apply to this contract.

The exclusive place of jurisdiction for all disputes arising from or in connection with this agreement shall be the registered office of audiotranskription. audiotranskription shall also be entitled to sue the responsible person at the latter’s registered office.

Final provisions

Amendments or supplements to this contract must be made in writing. This also applies to the amendment and cancellation of this clause.

Insofar as no special provisions are contained in this contract, the provisions of the main contract shall apply. In the event of contradictions between this contract and provisions from the main contract, the provisions from this contract shall take precedence.

Should any provisions of this contract be invalid, this shall not affect the validity of the remaining provisions. The parties shall endeavor to replace the invalid provisions with a valid provision that comes as close as possible to the economic meaning of the invalid provisions. The same shall apply in the event of a gap in this contract.

Appendix 1: Data protection design of automatic transcription of audio files

I. Initial situation / brief description of the company

dr. dresing & pehl GmbH, Deutschhausstraße 22A, 35037 Marburg, Germany, (hereinafter also: “we”) has been selling software under the brand name “audiotranskription” since 2005, as well as (as an optional supplement to this) so-called “foot switches” for the manual transcription of interviews. The transcription software is mainly used in the university context and is a central component of qualitative method training there.

In cooperation with the Fraunhofer Institute IAIS, dr. dresing & pehl GmbH developed a technical solution for the automatic creation of transcripts from audio files. This solution is intended to minimize the time required for the creation of scientific transcripts.

In the future, the automated transcription of audio files into text files is to be offered as an extension of the company’s own service portfolio. The entire execution of the contract will be carried out solely by dr. dresing & pehl GmbH. Therefore, Fraunhofer Institute IAIS will not receive any customer data. The aforementioned automated transcription service is the subject of this data protection presentation.

In the following, we therefore describe our contractual and technical measures to make the automated speech recognition service compliant with data protection law. The transcription service will be offered to customers in the future on this basis.

II. clarification of terms

In the following, a distinction is first made between:

“contract data”, i.e. data of the using person (hereinafter “you”) (i.e. name, address, etc.) and “order data”, i.e. audio files and the corresponding text files that the using persons upload to order our services as well as the respective transcribed data. These files may contain personal voice data of the user as well as voice data of third parties (the recorded persons).

III. Information of the customers according to Art. 13 GDPR

You will be informed in detail about the data processing before or when creating a customer account in accordance with Art. 13 GDPR.

Specifically, the information is provided on the website via the privacy policy, in which, among other things, information is provided in accordance with this document. The privacy policy is also prominently referred to when creating a user account.

IV. Overview of the workflow

You will upload interviews or other language files to a server of dr. dresing & pehl GmbH via a software client (f4transcript or a web client). There, the language files are automatically converted into a text. The generated text is displayed in the software client and can be processed locally. All data uploaded to the server will be deleted after transcription and transfer to the software client. The individual steps of this process are explained in more detail below:

1. software installation/registration

The prerequisite for using the service is the installation of the f4transcript software or a corresponding web client. Here you must register personally before using the speech recognition service. A corresponding dialog is displayed by the software to be installed locally. Your registration takes place in the following steps:

Step 1: Assignment of username and password

In the first step, you will be asked to enter your e-mail address, a password of your choice, and confirmation that you have read and understood the privacy policy (which can be viewed via a link). The password to be chosen must meet certain minimum requirements (a combination of upper/lower case, special characters, numbers, at least 10 characters).

The password can be changed after authentication by e-mail. When entering the e-mail address in the corresponding field of the client, a code is sent to the stored e-mail address. Only after entering this code, the password can be changed.

Step 2: Confirmation of registration

To verify the specified e-mail address, a code is sent to the deposited account. Only when the customer has entered this code via the login dialog in the client, the account will be activated. Not confirmed data will be deleted after 6 hours.

Step 3: Conclusion of a contract on order processing (ADV)

After confirming the registration, you will receive a dialog for concluding an ADV. Here, the contract text including a list of technical and organizational measures and subcontracted processors (server hoster) are listed. You have the option of entering the purpose of the processing and the type of personal data to be processed separately. The text of the contract will be sent by e-mail after confirmation by you (conclusion of the contract pursuant to Art. 28 (9) GDPR).

Step 3a (optional): Obligation to maintain secrecy in accordance with § 203 StGB

Some groups of persons (e.g. in legal or medical activities) are subject to special provisions on secrecy according to § 203 StGB. In order to enable the processing of data, it is necessary in these cases that we explicitly commit ourselves and subcontractors (beyond the provisions of the ADV) to secrecy in accordance with § 203 StGB. Upon request, you will optionally receive a corresponding commitment in electronic form.

2. activation for the upload of order data

Only after the registration is completed will the account be activated for uploading order data to our server. The registration information is stored on the speech recognition server and is physically and logically separated from billing data (see section VII. Data processing infrastructure).

3. purchase of time contingents via the online store.

The use of automated speech recognition is enabled on the basis of time quotas. The time quotas can be purchased in advance in the form of credit codes via our online store. These codes are generated by our activation server (logically and physically separated from the speech recognition server) and sent by e-mail. The codes are not personal and can be used by any (but registered) person to top up their own time quota.

Order data such as name, address, e-mail address, phone number, date of order and number of ordered items are loaded for billing and accounting purposes on the server of the web store and on our in-house server in Marburg and stored in accordance with the legal retention periods. Payment information (credit card data) is not collected by us, but transmitted directly via so-called iframes or via payment pages of the respective payment processors to the payment processing companies (PayOne, PayPal). The privacy policy of the webshop has been reviewed by Trusted Shops. The billing data is logically and physically separated from the order data.

V. Processing of individual orders

As “processing of individual orders” we describe here the upload of an audio file to our server, the processing there and the download of the finished results until the deletion of the individual order data. The order data is stored on the server only as long as it is necessary for the purposes of processing. Afterwards, the order data is restored to your computer and stored there locally by you.

1. upload audio files

Audio files can be uploaded to our server if you are registered and logged in to a client. The client generates an asymmetric key password for each audio file during upload. The public key is sent to the server together with the audio file during upload (job key). The private key is encrypted and stored on the client computer with your secret password when using f4transcript. This ensures that the job data can only be decrypted from the registered client. When using f4x via the browser, this password is stored encrypted on a separate server (separate from the speech recognition).

Uploading to our server is done via a secure connection. File names are pseudonymized by random but unique names before processing. When using f4transcript already during the upload.

2. editing

For processing, the audio file is decoded by the speech recognition algorithm and converted into a text file. The audio file is deleted immediately after successful conversion to a text file. The finished text file is encrypted with the job’s public key and cached on the server for retrieval.

The server reports a status to the client for each job. Successfully converted jobs report the status to the client and activate the “Download” button there.

3. Download

The finished text files can be downloaded from the client. After successful download, the text file is decrypted by the private key on the client. When using f4transcript, the combination of public and private key ensures that the results can only be decrypted on the machine from which the job was uploaded. When using f4x via the browser, the result can only be decrypted with correct credentials.

4. Deletion

Once the server receives the successful download message, the file is finally deleted from the server.

If an error occurred during the upload, e.g. due to an unrecognized file format or the connection being terminated, the incomplete audio file is immediately deleted from the server. The client will then receive a corresponding message

If a result is not picked up after 14 days, you will receive a notice by e-mail. If this notice remains unanswered, you will receive another reminder after 7 days. If the 7-day collection period specified therein expires, the order data will be deleted and the client will be informed of this by e-mail.

VI. Duration of data storage and data deletion

With regard to the duration of data storage and data deletion, a distinction must be made as follows:

Contract data is initially stored permanently on the voice recognition server for legitimization and order control. The deletion of the contract data takes place when the account is deleted, provided that no contractual and/or legal retention periods prevent the deletion. Order data, i.e. the audio files and the corresponding text files, are stored for the duration of the processing until they are downloaded by you or until the agreed deletion period has expired and are then automatically deleted. Supplementary information on the order data, such as file size and date of upload, is stored to enable the processing and billing of individual orders and to document them. This data is stored for traceability by you and documentation of possible claims for as long as the account is active. When the account is deleted, the data is deleted. Order data when purchasing time allotments (e.g. the name, address, e-mail address, telephone number (optional), the date of the order and the number of items ordered) are uploaded to the webshop server and to our in-house server in Marburg for billing and accounting purposes and stored in accordance with legal retention periods.

Detailed information about the exact data, processing purposes and storage periods is provided in the privacy policy.

VII. Data processing infrastructure

The infrastructure used for data processing is divided into four physically independent areas. You will be informed of the infrastructure used by the TOMs in the annex to the ADV. This in detail:

1. speech recognition server

The “speech recognition server” contains the speech recognition algorithm and manages order processing and user administration. This is where the order data is temporarily stored during processing. This data is processed on a dedicated root server of Hetzner Online GmbH in Nuremberg or Falkenstein.

The data center is DIN-ISO/IEC-27001 certified (German accreditation body D-ZM-18855-01-00, certificate number ZN-2016-04). A contract for order processing was concluded on 29.10.2018.

2. Webshop

The webshop for the purchase of time quotas and e-mail services run via a server of ALL-INKL.COM Neue Medien Münnich with server locations in Dresden and Friedersdorf. The address data provided by you, the purchased items and the correspondence by e-mail are stored here. A contract for order processing was concluded on 25.05.2018.

3. internal order processing

For billing and accounting purposes, customer data is stored on our own servers at the business premises of dr. dresing & pehl GmbH in Marburg and archived in accordance with statutory retention periods. Access to the data is regulated in particular by an access concept (password, restrictive assignment of rights, etc.).

4. Payment processing

Data for credit card payments or for direct debit orders are not stored by us. The processing of these payment methods is forwarded directly to the payment service provider BS PAYONE GmbH in Frankfurt am Main via so-called iframes.

Payments by PayPal are made by you directly on the payment page of PayPal (for European customers PayPal (Europe) S.à r.l. et Cie, S.C.A., in Luxembourg).

Appendix 2: Technical and organizational measures

The following measures ensure the protection of order data

I. Confidentiality

Access control to the business premises of dr. dresing & pehl GmbH (hereinafter referred to as “we”)

  • Access is secured by a manual locking system.
  • Access to the premises for persons outside the company (e.g. persons visiting us) is restricted or only possible in the company of dr. dresing & pehl GmbH employees. The allocation of keys is restrictive and is documented.

Access control to productive systems

  • Access to production systems with sensitive data is password-protected, and access is restricted to personnel with the appropriate security clearance. Passwords used must comply with the password concept. Access to external productive systems is exclusively via a secure connection.

Access control

  • By means of regular security updates (according to the respective state of the art), we ensure that unauthorized access is prevented.
  • The transfer from the client to the server is exclusively encrypted. Job data is immediately stored in encrypted containers during the upload. Decryption is only possible on the client from which the upload was started. Regular access to order data by employees of dr. dresing & pehl GmbH is therefore not possible.
  • Employees of audiotranskription have no access to stored order data.
  • The person using the client is responsible for the security and updates of the client used.

Data medium control

  • Internally used data carriers are securely deleted or physically destroyed in accordance with a deletion concept.
  • It is ensured that server hosters have a suitable concept for deleting/destroying hard disks that are no longer in use.

Separation control

  • In audiotranskription’s internal administration system, data for billing (invoice/order processing, etc.) is stored physically and logically separate from order data. Data backup also takes place on logically and/or physically separate systems.
  • For the speech recognition online service, order data is stored physically or logically separated from other data. Data backup takes place on logically and/or physically separated systems.


  • The user is responsible for the pseudonymization of the data before uploading the data.

II. Integrity (Art. 32 (1) (b) GDPR)

Transfer control

  • All our employees have been instructed in accordance with Art. 32 Para. 4 GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.
  • There is an automated deletion of the data after order processing.
  • Encrypted data transmission will be provided to the extent of the service description of the main order.

Input control

  • The data is entered or recorded by the user himself.
  • All changes to the data on the server are logged automatically.

III. availability and resilience (Art. 32 para. 1 lit. b GDPR)

Availability control for audiotranskription internal management system

  • There is a backup and recovery concept with daily backup of all relevant data.
  • Expert use of protection programs (virus scanners, firewalls, encryption programs, spam filters) that secure the server against unauthorized intrusion.
  • Hard disk mirroring of all relevant servers.
  • Monitoring the status of all relevant computers.
  • Availability control for the speech recognition online service
  • Use of the high security technology of the hoster.
  • Ensure that hoster has suitable concepts and measures for: use of uninterruptible power supply, backup power supply system, permanently active DDoS protection. Use of a software firewall and port regulations, backup and recovery concept with daily backup of data. Use of hard disk mirroring mechanisms.
  • Monitoring of all relevant servers.

Rapid recoverability (Art. 32(1)(c) GDPR)

  • For all internal systems, direct information channels (messengers) exist for informing the responsible personnel in the event of an error in order to restore the system as quickly as possible.

IV. Procedures for periodic review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

A system is in place for regular review, assessment and evaluation of all measures taken.

Order control

Our employees are instructed in data protection law at regular intervals and are familiar with the procedural instructions and user guidelines for data processing on behalf of the company, also with regard to the right to issue instructions to the person responsible and authorized to issue instructions.

Appendix 3: Subcontracted Processor

Subprocessor Contact details Subject of processing
Hetzner Online GmbH Industriestrasse 25,
91710 Gunzenhausen
Hosting data,
Fraunhofer-Institut für Intelligente Analyse- und Informationssysteme IAIS Schloss Birlinghoven
53754 Sankt Augustin
Support and maintenance of the speech recognition algorithm

Annex 4: Categories of data and groups of data subjects

This information was provided by the responsible person in the registration process and is listed in the confirmation email.

Status: 15.10.2019

    Your cart is emptyBack to the shop
      Calculate Shipping