Terms and Conditions for the Use of the Closelink Platform Solution for Customers
Last updated: 30 September 2022
1. General
(1) The online portal www.closelink.com (hereinafter also referred to as the “platform”) is a service of Closelink GmbH (“Closelink”) providing sellers and purchasers with a web-based platform solution for enabling purchasing activities and/or planning and management activities in the sector of the shipping industry and companies procuring or buying maritime supplies or other goods and services for vessels.
(2) Closelink does not become a party to the contracts between customers and vendors, but solely makes the platform available for the contractual relations between customers and vendors.
(3) These terms and conditions (“T&Cs”) regulate the Customers’ rights and obligations for the use of the platform, unless and to the extent expressly agreed otherwise in an individual contractual agreement between Closelink and the Customer (“Customer Agreement”).
(4) The T&Cs are an integral part of the legal relationship between Closelink and the Customer on the use of the services that are offered by Closelink via the platform.
(5) The platform shall only be accessible and these T&Cs shall only apply to entrepreneurs (Unternehmer), legal entities under public law or special funds under public law within the meaning of Sec. 310 (1) of the German Civil Code (Bürgerliches Gesetzbuch – BGB).
(6) Closelink’s Privacy Policy which governs the collection and processing of personal data with Closelink being the controller of such personal data (i.e., Closelink using data obtained from the Customer for Closelink’s own business purposes) is accessible on Closelink’s homepage under www.closelink.com/privacy-policy. Regarding the processing of personal data provided by Customers using the platform (i.e., data of the Customers’ employees and business contacts as well as Users managed via the platform), the Customers remain controllers of such personal data and Closelink acts as a processor under the Data Processing Agreement (“DPA”) supplementing these T&Cs. The terms “controller” and “processor” shall be interpreted as provided for in the General Data Protection Regulation (“GDPR”; i.e., “controller” refers to the entity determining the purposes and means of processing, “processor” refers to the entity processing personal data on behalf of the controller).
(7) Deviating terms and conditions of the Customer are hereby rejected and shall not be part of the legal relationship between Closelink and the Customer.
(8) The Customer will be notified of any changes to these T&Cs by Closelink in writing or in text form. If the Customer does not reject such changes within six weeks after receipt of the notification, the changes shall be deemed agreed. In case of any change to these T&Cs, the attention of the Customer will be drawn separately to the right to object and the legal consequences of remaining silent.
(9) “Customers" shall mean those Users of the platform who source and/or wish to source goods and/or services from the vendors via the platform. Potential customers are likewise covered by the term.
(10) “Vendors” shall mean those Users of the platform who offer and/or wish to offer goods and/or services for sale via the platform and/or supply the goods to the Customers and/or perform the services towards the Customers. Potential vendors are likewise covered by the term.
(11) “Users” shall mean all visitors to the platform, including Vendors, Customers, their respective representatives and authorized employees as well as other authorized third parties that are granted access to the platform regardless of prior registration in accordance with Section 3 below.
2. General Obligations of the Customer
(1) The Customer shall keep its login data and passwords confidential and shall ensure that its authorized Users (in particular, in case of group accounts) are obliged to keep the login data and passwords confidential. The Customer shall implement appropriate security measures in order to prevent any unauthorised access to the platform by third parties. The Customer must ensure and is solely responsible that (i) its authorized representatives and employees use the account in line with these T&Cs and (ii) no unauthorized third parties are being granted access to the platform. If the Customer gains knowledge that a user account has been misused, used unauthorized or could have been misused by third parties, it is required to provide Closelink with the details of such incident immediately, but not later than three days after the incident. As soon as Closelink becomes aware of the unauthorised use, Closelink is entitled to the rights pursuant to Section 7 below. Closelink reserves the right to change the Customer’s login data and password; in such case Closelink will immediately inform the Customer by email.
(2) Any actions performed using the login data of a Customer or one of its employees are generally attributable to the respective Customer and such Customer shall be responsible and liable for any actions of Users acting in his name or on his behalf, except where the Customer proves that third parties have illegally used the login data for the respective action without fault on part of the Customer. Customers are responsible for all declarations of intent submitted by themselves on the platform. The Customer shall ensure that its employees have been familiarised with data processing as part of the use of the platform in accordance with the applicable data protection and privacy requirements. If the personal data of an employee cannot be processed in accordance with the applicable data protection and privacy requirements, the Customer must deactivate the user account concerned without undue delay and inform Closelink thereof.
(3) The Customer is fully responsible for the content posted by it on the platform (any text input and drawings). In particular, the Customer is responsible that content posted is completely free of any third party rights and also legally suitable for this usage and is permitted to be made available.
(4) The Customer shall indemnify Closelink from any claims and appropriate costs incurred by Closelink in conjunction therewith (including costs arising for the legal defense), including claims for damages which third parties assert against Closelink due to an infringement of their rights and/ or breaches of applicable statutory regulations with regard to the content posted by the respective Customer. All further rights of Closelink under applicable law, including claims for damages, remain unaffected.
(5) In principle and subject to applicable law and legislation, all content of the Customer can be posted and managed via the platform which the Customer considers necessary for entering into agreements with the Vendors and which complies with applicable law.
(6) Closelink is entitled to check the content or have it checked at anytime for admissibility, without however being required to do so. If the content breaches these T&Cs, applicable law or legislation or third-party rights or if there is specific evidence of such a breach, Closelink is entitled to the rights under Section 7 below.
(7) The Customer shall use the data obtained from the platform for their own internal business purposes only and shall not share it with third parties.
(8) The Customer shall ensure that any of its representatives and employees acting in its name and/or on its behalf have the appropriate powers to enter into contracts via the platform for the Customer. The Customer shall upon request provide evidence of this to Closelink.
3. Registration
(1) To use the services offered on the platform, the Customer must register for the platform and open a user account.
(2) The offer to use the platform as a Customer is only aimed at companies which are active in the sector of the shipping industry and companies procuring or buying maritime supplies or other goods and services for vessels.
(3) Upon completion of the registration, the Customer expressly declares its agreement with the applicability of these T&Cs which are accessible during the registration process.
(4) Upon creating the user account, the Customer is obliged to truthfully and fully provide the data requested on registration and to verify the data used by Closelink for accuracy and completeness. It is not permitted to give stage names, pseudonyms or other invented names when the name is requested. If the data collected should change after registration or if it is incorrect or incomplete upon transmission of the user account, the customer is obliged to update its profile without undue delay to this effect or to otherwise transmit the changed data to Closelink.
(5) Closelink reserves the right to verify the Customer’s details and to deny access to the platform should any irregularities arise. After completion of the registration process, Closelink will set up a user account for the Customer and provide the Customer with the access data for the user account (“login data”) to the email address given by the customer (socalled confirmation of permission)
(6) Closelink reserves the right to create a user account for individual Customers without prior registration to the platform and to send the Customer the login data by email if the required details of the Customer are known to Closelink and the Customer has declared its prior consent to the use of its data for this purpose in another way (so-called confirmation of permission). On first login to the platform, the Customer declares its acceptance of these T&Cs.
(7) The login data sent to the Customer in the confirmation of permission applies to a master account via which the Customer is authorized to set up further user accounts for authorized employees. The customer represents and warrant towards Closelink that (i) it will only make these user accounts available to its own employees who have sufficient authority to use the platform and (ii) the user accounts of employees who are no longer employed by the Customer or who do not have or do no longer have sufficient authority to use the platform will be deactivated without undue delay and such (former) employees will not have access to the platform anymore.
4. Contracts between Customers and Vendors
(1) Closelink does not become a party to the contracts between Customers and Vendors, but solely makes the platform available for the contractual relations between Customers and Vendors. Processing and performing contracts entered into via the platform is a matter for the respective Customers and Vendors alone. For the contracts concluded via the platform, Closelink assumes neither a guarantee for the fulfilment nor liability for material defects nor defects of title of the goods and/or services traded. Closelink bears no obligation for fulfilment.
(2) Closelink cannot assume any warranty for the true identity and power of disposition of the respective Users. In cases of doubt, Customers and Vendors are required to find out in an appropriate manner about the true identity as well as the right of disposal of the other contract party.
(3) The Users are responsible for ensuring that all contracts concluded by them via the platform on sourcing goods and/or services as well as delivering them do not breach national or international trade restrictions or sanctions applicable at the registered office of Closelink, such as sanction measures in the form of authorization requirements or prohibitions regarding services or investments and the export, import, transit, movement, sale, acquisition, delivery, provision and forwarding of goods and/or services.
(4) A copy of the data on the transactions sent via the platform will remain at Closelink. Closelink will safeguard the confidentiality and correct storage of the data in accordance with the applicable data protection and privacy requirements and subject to the provisions of the DPA.
5. Fees, Sanctions of Evasions
(1) For a request initiated via the platform, an order may only be placed with a Vendor via the platform. If, contrary to sentence 1, the Customer is offered execution of a request posted on the platform in another form, particularly outside the platform, the Customer must refuse it and ask the relevant Vendor to post the offer using the platform. Moreover, the Customer may only accept an offer to a request initiated by it and place the order via the platform. The Customer is prohibited from circumventing the platform. In the event of a breach of this Section 5(1), Closelink is entitled to an extraordinary termination of the customer agreement with the breaching Customer and can demand a penalty for breach of contract of USD 350 per order submitted/accepted by circumventing the platform. Further rights of Closelink remain unaffected. Any claims for damages by Closelink are to be set off against the penalty received for breach of contract.
(2) Closelink does not cover and cannot be held responsible for any costs that originate from other software providers of the Customer for the use of technical interfaces or any other service fees related to the use of Closelink’s platform.
6. Copyrights and Rights of Use
(1) The copyright and exclusive right of use to published objects created by Closelink (webpages, scripts, programs, graphics) remain solely with Closelink.
(2) The reproduction or use of elements of the platform in other electronic or printed publications, particularly on other webpages, is not permitted without the express consent of Closelink.
(3) Upon posting content on the platform, the Customer grants Closelink in each case a free and transferable right of use and exploitation, unlimited in time and space to the respective content, in particular making it publicly accessible, editing and reproducing it where this is necessary for provision and publication in connection with the platform and/or advertising it. Where the content posted by the Customer is removed again from the platform, this right of use and exploitation expires. However, Closelink remains entitled to store copies created for security and evidence purposes.
7. Closelink’s Rights to Delete Content, Block User Accounts etc.
If a Customer breaches the Customer Agreement, these T&Cs, statutory provisions or third party rights or if there is concrete evidence of such a breach or Closelink has another justified interest, especially for protecting other users from fraudulent activities, Closelink is entitled to take the following actions: (a) Deleting offers or other content that has been posted on the platform, (b) warning Customers due to specific breaches,(c) limiting/restricting the use of the platform,(d) blocking provisionally and (e) blocking the user account permanently. In the choice of action, Closelink will consider the justified interests of the Customer concerned, particularly whether there is evidence that the Customer is not at fault for the breach. Closelink will inform the Customer on the action by email and give it the opportunity to make a statement.
8. Liability of Closelink
(1) For any damages other than damages to life, limb or health, the liability of Closelink to the Customer is excluded, except for any damages caused by intentional or grossly negligent behaviour of Closelink, of one of its legal representatives or one of its vicarious agents and further provided that respective damage is also not caused by a breach of material contractual obligations of Closelink. Material contractual obligations are such obligations the fulfilment of which makes the proper execution of the contract possible in the first place and which the Customer may normally expect to be complied with. Liability for breach of such a material contractual obligation is limited to damage typical of this type of contract the occurrence of which Closelink had to assume when entering into the contract based on the circumstances known on that date. The exclusions of liability and limitations stated do not apply in the event of the assumption of express warranties by Closelink as well as in the event of claims based on the lack of assured properties or where claims under the Product Liability Act are concerned.
(2) Closelink assumes no liability for malfunctions of the platform that are not the fault of Closelink.
(3) Closelink is only liable for the loss of data in line with the above clauses if such a loss would not have been avoidable on the part of the Customer by appropriate data backup measures.
(4) The liability does not cover impairment of the contractual use of the services provided by Closelink via the platform that has been caused by improper or incorrect use by the Customer.
(5) The above limitations of liability also apply analogously to the benefit of the vicarious agents of Closelink.
(6) To the extent there is the opportunity to be routed via the platform to a database or websites etc. of third parties (e.g., by the insertion of links or hyperlinks), Closelink shall not be liable either for accessibility, existence or security of these databases, websites or services or for the content of the same, in particular, Closelink shall not be liable for the legality, accuracy of content, completeness or current nature etc.
(7) In any case, the Customer is obliged to mitigate any damages in accordance with German law. This includes giving timely notice of damages to Closelink.
9. Platts products and services
(1) In case the Customer has access to any data information provided by S&P Platts (“Platts”) through the platform, the following applies:
i. Neither Closelink, Platts, their affiliates nor any third-party licensor shall have any liability for the accuracy or completeness of the Platts products and services, furnished through the platform, or for delays, interruptions or omissions therein, nor for any lost profits, indirect, special or consequential damages;
ii. Platts, their affiliates and/or third-party licensors have exclusive proprietary rights in any information included within the Platts products and services;
iii. Customer shall not use or permit its employees or anyone else to use the information or software provided through the platform for any unlawful or unauthorized purpose;
iv. The Platts products and services shall be provided for Customer's internal use only and Customer and its employees are not authorized or permitted to redistribute, furnish any Platts products and services or any related information to any person or firm for reuse or retransmission without the prior written approval of the source of such information; and
v. Access to the Platts products and services is subject to termination in the event that the agreement between Closelink and Platts or any agreement between Closelink or Platts and a provider of information or software distributed through the platform is terminated in accordance with its terms.
vi. Platts may enforce its rights against Customer as the third-party beneficiary of the agreement between Closelink and Customer, even though Platts is not a party to the agreement between Closelink and Customer.
10. Final Provisions
(1) If individual provisions of these T&Cs are or become wholly or partially invalid, the remaining provisions of these T&C shall not be affected. The invalid provision shall be replaced by the parties by mutual agreement by such a provision that comes closest to the economic purpose of the invalid provision in a legally effective manner.
(2) The relationships between the contracting parties shall be exclusively governed by the laws of the Federal Republic of Germany excluding its conflict of laws provisions and UN sales law (United Nations Convention on Contracts for the International Sale of Goods, CISG).
(3) The exclusive place of jurisdiction for all disputes arising from these T&C is the registered office of Closelink.
(4) The contract language is English.
Data Processing Agreement(DPA)
1. Subject matter
(1) This DPA specifies the rights and obligations of Closelink and the Customer arising from the processing of personal data in the performance of the services under the T&Cs. For this purpose, the Customer (as the “Controller”) hereby appoints Closelink (as the “Processor”) as a processor within the meaning of Article 28 GDPR. All terms used in this DPA shall have the meaning defined in the GDPR.
(2) Covered by this DPA are all personal data of the Controller to which the Processor has access during the performance of the services under the T&Cs. This shall apply irrespective of whether the Processor is provided with these personal data by the Controller, generates them independently or receives them by other means, e.g. from the data subjects themselves. Appendix 1 lists (i) the categories of persons concerned, (ii) the types of personal data and (iii) the scope and purpose of the processing. This DPA does not apply to data other than personal data.
(3) This DPA shall apply while services are provided under the T&Cs.
2. Principle of processing on behalf and processing abroad
(1) The Processor assures to take appropriate technical and organizational measures so that the processing is carried out in accordance with the requirements of the GDPR and the protection of the rights of the data subjects is ensured.
(2) The processing by the Processor and, if applicable, the other Subcontractors commissioned by it shall generally take place in a member state of the European Union. The Processor shall be entitled to transfer the processing to a third country if the special requirements of Chapter V of the GDPR are met.
3. Subcontracting
(1) Processor shall not use any other contractor ("Subcontractor") without the consent of the Controller.
(2) Controller hereby grants its consent to engage the Subcontractors named in Appendix 2.
(3) The Controller hereby also grants its general consent to the engagement of Subcontractors. In this regard, the Processor shall inform the Controller of any intended change with respect to the use or substitution of Subcontractors, giving the Controller the opportunity to object to such changes.
(4) Where the Processor uses the services of a Subcontractor to carry out certain processing activities on behalf of the Controller, the same data protection obligations as set out in this Contract shall be imposed on the Subcontractor by way of a contract or other legal instrument under Union law or the law of the Member State concerned, in particular providing sufficient assurance that the appropriate technical and organizational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR. To this end, the parties clarify that it is sufficient for the imposition of the same data protection obligations if the level of protection under the subcontract corresponds to the level of protection under this DPA.
(5) If the Subcontractor fails to comply with its data protection obligations, the Processor shall be liable to the Controller for the Subcontractor's compliance with its obligations in accordance with Article 28 (4) GDPR.
(6) Subcontracting within the meaning of this provision shall not include services which the Processor uses from third parties as an ancillary service to support the performance of this DPA. These include, for example, telecommunications services, maintenance and user service, auditors or the disposal of data carriers. However, the Processor shall be obligated to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the Controller's data, even in the case of ancillary services contracted out to third parties.
(7) The Subcontractor's compliance with approved codes of conduct pursuant to Article 40 GDPR or an approved certification procedure pursuant to Article 42 GDPR may be used as a factor to demonstrate sufficient assurance within the meaning of Section 3 (4) of this DPA.
4. Controller's right to issue instructions
(1) The personal data covered by this DPA shall only be processed upon documented instructions from the Controller - including with regard to the transfer of personal data to a third country or an international organization - unless the Processor is required to do so by the law of the Union or the Member States to which the Processor is subject; in such a case, the Processor shall notify the Controller of such legal requirements prior to the processing, unless the relevant law prohibits such notification due to an important public interest.
(2) The instructions of the Controller are facilitated via the functions of the platform as governed by the T&Cs.
(3) The Processor shall not use the personal data collected under this DPA for any other purposes than the performance of the services under the T&Cs. Excluded from this are security copies, insofar as they are necessary to ensure proper processing, as well as data required with regard to compliance with statutory retention obligations.
5. Control rights of the Controller
(1) The Processor undertakes to provide the Controller, upon written request and within a reasonable period of time, with such information as is necessary to prove compliance with the obligations under this DPA.
(2) For this purpose, the Processor may also submit current test certificates, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors) or suitable certification by IT security or data protection audit.
(3) The Controller shall compensate the Processor for the expenses incurred in providing the information.
6. Technical and organizational measures
(1) The Processor warrants that the persons authorized to process the personal data under this DPA have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality.
(2) Taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the Controller and the Processor shall each take appropriate technical and organizational measures within their respective spheres of responsibility to ensure a level of protection appropriate to the risk.
(3) In assessing the adequate level of protection, particular account shall be taken of the risks inherent in the processing, in particular from destruction, loss, alteration or unauthorized disclosure of, or access to, the personal data covered by the contract, whether accidental or unlawful, which have been transmitted, stored or otherwise processed.
(4) The technical and organizational measures to be taken by the Processor are set out in Appendix 3 to this DPA. The Controller acknowledges that compliance with the measures agreed in Appendix 3 to this DPA satisfies the requirements of this Section 6.
(5) The Processor shall be entitled at any time to replace the technical and organizational measures specified in Appendix 3 to this DPA by other measures, provided that the Processor complies with the requirements agreed in Section 6 (2).
(6) The Parties agree that compliance with approved codes of conduct pursuant to Article 40 GDPR or an approved certification procedure pursuant to Article 42 GDPR may be used as a factor to demonstrate compliance with the requirements set forth in this Section 6.
(7) The Processor shall ensure that natural persons under its authority who have access to the personal data covered by this DPA process them only on the instructions of the Controller, unless they are obliged to process them under Union or Member State law.
7. Information obligations of the Processor
(1) The Processor shall inform the Controller without undue delay in accordance with Article 33 (2) of the GDPR if it becomes aware of a breach of the protection of the Controller's personal data covered by this DPA.
(2) The Controller shall compensate the Processor for the expenses incurred in providing the information, unless the violation of the protection of the Controller's personal data covered by this DPA is due to the fault of the Processor.
8. Duties in support of the Controller
(1) In view of the nature of the processing, the Processor is obliged to support the Controller as far as possible with appropriate technical and organizational measures in fulfilling its obligation to respond to requests to exercise the rights of the data subject referred to in Chapter III of the GDPR (data subject rights).
(2) The Processor is obliged, taking into account the nature of the processing and the information available to it, to assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR.
(3) The Processor is obligated to provide the Controller with all necessary information to demonstrate compliance with the obligations set forth in Article 28 GDPR and to enable and contribute to reviews - including inspections - conducted by the Controller or another auditor appointed by the Controller.
(4) The Processor shall inform the Controller without undue delay if it believes that an instruction violates the GDPR or other data protection provisions of the Union or the Member States.
(5) The Controller shall compensate the Processor for the expenses incurred in the performance of the aforementioned services pursuant to this Section 8.
9. Obligation to delete and return
Upon completion of the provision of services under the T&Cs, the Processor shall be obliged to either delete or return all personal data collected under this DPA, at the discretion of the Controller, unless there is an obligation under Union or Member State law to store the personal data collected under this DPA. In particular, the applicable retention and archiving obligations shall remain unaffected.
10. Final provisions
(1) Insofar as services of the Processor are marked as subject to compensation under this DPA, the corresponding services of the Processor shall be remunerated according to the general remuneration rates of the Controller in the version valid at the time of performance of the service.
(2) The liability provisions of the T&Cs shall apply accordingly to this DPA.
(3) This DPA is an integral part of the T&Cs. In the event of any discrepancies between the provisions of the T&Cs and this DPA, the provisions of this DPA shall prevail.
Appendix 1: Persons, data and purposes covered
Categories of data subjects:
- Users of the platform
- Employees of the Customers and Vendors
- Business contacts
Types of personal data:
- Contact and master data (e.g. name, address)
- Contract data
- Communication data
Scope and purpose of processing:
- Provision of services on the platform under the T&Cs
Appendix 2: Subcontractors
Name Scope of processing
Amazon Web Services. Cloud Provider
SentryError Tracking
MongoDB Atlas Database Hosting
Mailchimp. Mail Dispatcher
Google Analytics User Tracking
Userlike. Customer Support
ZapierTask Automation
MagicBell. Notification Center
Appendix 3: Technical and organizational measures
Pseudonymization
Pseudonymization (i.e., processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate) is implemented in the following areas:
Confidentiality
a) Physical access control
Technical measures:
- Alarm system
- Smart cards / transponder systems
- Video surveillance of the entrances
Organizational measures:
- Key regulation (key delivery, etc.)
- Logging the visitors
b) Digital access control
Technical measures:
- Login with username + password
- Login with biometric data
- Use of VPN technology for remote accesses
- Firewall
- Smartphone encryption
- Encryption of notebooks / tablet
- Automatic desktop lock
- Encryption of notebooks / tablet
- Logging of accesses to applications, especially when entering, changing, and deleting data
Organizational measures:
- Manage user permissions
- Creating user profiles
- Guideline for the creation of a "secure" password
- Mobile device policy
- General policy data protection and / or security
- Reduction in the number of administrators
- Password policy incl. password length, password change
c) Separation control
Technical measures:
- Separation of productive and test environment
Organizational measures:
- Setting database rights
Integrity
a) Transfer control
Technical measures:
- Establishment of dedicated lines or VPN tunnels
- Logging of accesses and retrievals
- Provision via encrypted connections such as sftp, https
Organizational measures:
- Disclosure of personal data in anonymized or pseudonymized form
b) Input control
Technical measures:
- Technical logging of the entry, modification and deletion of personal data
- Manual or automated control of the logs
Organizational measures:
- Traceability of entry, modification, and deletion of personal data through individual user names Availability and resilience
a) Availability control
Organizational measures:
- Creating a backup & recovery concept
- Control of the backup process
- Regular tests for data recovery and logging of results
- Storing the backup media in a safe place outside the server room Procedures for regular review, assessment and evaluation
a) Data protection management
Technical measures:
- Software solutions for data protection management in use
- Other documented safety concept
Organizational measures:
- Employees trained and committed to confidentiality / data secrecy
- Regular sensitization of employees through training
b) Incident Response Management
Technical measures:
- Use of a firewall and regular updating
- Use of spam filters and regular updating
- Use of virus scanner and regular updating