Glossary

The ability to conclude a collective bargaining agreement is called collective bargaining capacity. According to the Collective Bargaining Act (TVG), only trade unions, employers' associations, and individual employers are collectively bargaining capable.

The process that is responsible for authorizing the use of IT services, data, and other assets by users. Access management provides support in protecting the confidentiality, integrity, and availability of assets by ensuring that only authorized users can access or make changes to those assets. Access management can also be referred to as authorization management or identity management (IDM).

An administrative offense is a violation of the law that does not have a criminal nature and is therefore not punishable by imprisonment, but by a fine. In some cases, a driving ban of up to three months can also be imposed in addition to a fine for violations of the German Road Traffic Act.

An affiliate link is a special reference that leads a user to a product or service on an external website, while the operator of the link receives a commission if a purchase or action is made via this link. It is used as part of affiliate marketing, where partners are paid for referring customers to companies. Affiliate links enable companies to increase their reach, while partners can generate income through commissions.

The annual financial statements comprise the annual balance sheet and the income statement for a commercial business year and are part of the commercial books.

Through anonymization, personal data are changed in such a way that, unlike pseudonymization, even by adding additional, separately stored information, it is no longer possible to assign the statement of the data set to a specific or identifiable person.

Dominant companies may not use their superior market power to unduly hinder smaller or medium-sized competitors, either directly or indirectly. Sanctions for anti-competitive behavior are included in the German Competition Act (GWB).

Artificial intelligence (AI) refers to the development of computer systems that can mimic human-like abilities such as learning, problem-solving and decision-making. It is based on algorithms and data to recognize patterns and perform tasks autonomously. AI is used in various areas, from speech recognition and image processing to the automation of complex processes.

Asset management is the process responsible for tracking the values and ownership of financial assets, as well as their reporting throughout their lifecycle. Asset management is part of the broader process of Service Asset and Configuration Management. See Asset Register.

Under § 398 of the German Civil Code (BGB), an assignment is the transfer of a claim by the creditor to another person through a contract with that person. The replacement of the creditor does not involve a change in the debtor or the content of the claim. With the conclusion of the contract, the new creditor steps into the shoes of the original creditor.

An audiovisual media service is a service that aims to provide moving images and sound, such as videos or films, via electronic communication networks, for example via television channels or streaming platforms. These services are designed to provide the general public with information or entertainment content. In the EU, audiovisual media services are regulated by the Audiovisual Media Services Directive (AVMSD) in order to ensure common standards for providers with regard to the protection of minors, advertising and content diversity.

A data protection audit is a process in which the data protection practices and procedures of a company or organisation are reviewed and assessed for compliance with data protection laws and regulations. The aim of such an audit is to ensure that the processing of personal data is carried out in accordance with the applicable data protection regulations.

The process responsible for defining, analyzing, planning, measuring, and improving all aspects of IT service availability. Availability management must ensure that the entire IT infrastructure, as well as all processes, tools, roles, etc., enable the agreed service level targets for availability.

The AVMS Directive (Audiovisual Media Services Directive) is an EU-wide regulation that sets common standards for audiovisual media services such as television and streaming platforms. It aims to ensure the protection of minors, advertising restrictions and the promotion of European content. The directive harmonizes the rules for cross-border media services in the EU and thus creates a uniform legal framework for the digital single market.

The Federal Data Protection Act (BDSG) regulates the collection, processing, and use of personal data, including their transfer to third parties in Germany. The BDSG has a complementary regulatory area to the GDPR. Since the GDPR is an EU regulation, the GDPR enjoys precedence over the BDSG in the event of a conflict between the regulations. Where the GDPR requires national legislative concretizations, the BDSG applies. The new BDSG, which was passed in 2018, differs from the old BDSG of 2003 by being more closely aligned with the GDPR. It increases fines for data protection violations, clarifies outsourcing, expands data subject rights, requires directories of processing activities, introduces data protection impact assessments, and regulates employee data protection, video surveillance, and data protection authorities in more detail.

The Civil Code (BGB) entered into force in Germany on January 1, 1900, and is the central law of German civil law. It regulates the most important legal relationships between private individuals.

Every merchant is required to have a place of business for their commercial business, where they can receive notices. In principle, the merchant's business premises are considered to be the place of business, otherwise their home.

The Act on the Federal Office for Information Security (BSI-Gesetz) regulates the tasks and powers of the Federal Office for Information Security (BSI) in Germany. The BSI Act regulates the security of critical infrastructures (KRITIS) and defines the duties, tasks and powers of operators and the state.

Capacity management is the process of ensuring that the capacity of IT services and IT infrastructure is sufficient to meet agreed service level objectives in a cost-effective and timely manner. Capacity management takes into account all the resources required to deliver IT services, as well as plans for short-, medium-, and long-term business requirements.

A capacity plan is used to manage the resources required to deliver IT services. The plan includes scenarios for different forecasts of business requirements, as well as options, including cost estimates, to achieve agreed service level objectives.

A cartel is an agreement or concerted practice between two or more companies that has the purpose or effect of preventing, restricting, or distorting competition. Cartels are generally prohibited under § 1 of the German Competition Act (GWB).

By a cease-and-desist declaration, the declarant commits to refrain from a certain behavior in the future. This is particularly relevant in the areas of competition, trademark, and copyright law. If a cease-and-desist declaration is not or not fully submitted, a cease-and-desist lawsuit can be filed.

In competition law, a cease-and-desist letter is a formal request from one company to another to cease a suspected unfair competition practice. It is intended to clarify legal violations such as misleading advertising or unfair competition and to demand injunctive relief and damages in order to ensure fair competition. It is typically accompanied by a request to submit a penally enforceable cease-and-desist and undertaking.

Change is the addition, modification, or removal of anything that could have an impact on IT services. The scope of a change should include all IT services, configuration items, processes, documentation, etc.

A group of people who advise the change manager on the evaluation, prioritization, and scheduling of changes. This committee is typically composed of representatives from all areas of the IT service provider, the business, and third parties such as suppliers.

Change management is the process responsible for governing the lifecycle of all changes. The primary goal of change management is to enable the implementation of beneficial changes with minimal disruption to IT services.

A Cyber Incident Response Plan (CIRP) is a pre-defined process created by organisations to respond effectively to cyber security incidents. The plan includes measures to detect, analyse, contain, remediate and recover from a security incident. The aim is to minimise the impact and restore the IT infrastructure quickly and securely.

A client in the IT sense is a computer program that runs on a device and communicates with it. Examples of a client are web browsers like Mozilla Firefox or Apple Safari, which connect to the web server, which then sends the desired homepage, whereupon the browser can display the desired website.

In information technology, ‘cloud’ refers to the provision of computing resources such as computing power, storage and applications via the internet. Cloud computing enables access to these resources on demand without the need for physical infrastructure on site.

A collective bargaining agreement is a contract between collectively bargaining capable parties. It consists of a contractual part that regulates the rights and obligations of the collective bargaining parties and a normative part that contains legal norms on the conclusion, content, and termination of employment relationships as well as the regulation of company and works council issues.

According to the Commercial Code (HGB), a commercial business is any business that is operated with consideration of commercial and/or technical knowledge. The commercial business must be profit-oriented, planned for a certain period of time, and independently run.

The commercial register is a public register that contains entries about registered merchants in a specific geographical area. It serves not only as a source of information and a means of proof, but also to protect the flow of commerce. The trust of those who rely on the accuracy of the commercial register is protected under § 15 of the Commercial Code (HGB) (so-called publicity of the commercial register).

A commercial representative is a self-employed trader who is constantly commissioned to mediate or conclude business for another entrepreneur. A commercial representative works on behalf of and for the account of another entrepreneur.

A commission is a contract in which a merchant on behalf of another person (the comitente) enters into a transaction with a third party in his own name. The contract between the comitente and the commissionaire is called a commission contract.

In competition law, restrictions in contracts for the use or licensing of intellectual property rights that go beyond the scope of the protection right are prohibited.

Compliance means the adherence to legal requirements, regulatory standards, and additional self-imposed ethical standards and requirements in a company.

Configuration items (CIs) are all the components that need to be managed in order to deliver an IT service. Information about each CI is captured in a configuration record within the configuration management system and managed by configuration management throughout its lifecycle. CIs are subject to the control and governance of change management. CIs typically include IT services, hardware, software, buildings, people, and formal documentation, such as process and SLAs.

Configuration management is the process responsible for the maintenance of information about configuration items (CIs) and their associated relationships. This information is managed throughout the lifecycle of the CI. Configuration management is part of a comprehensive service asset and configuration management process.

A database that is used to store configuration records throughout their lifecycle. The configuration management system manages one or more CMDBs, and each CMDB stores attributes of CIs as well as relationships to other CIs.

A set of tools and databases used to manage the configuration data of an IT service provider. The CMS also contains information on incidents, problems, known errors, changes, and releases, and may also include data on employees, suppliers, locations, business units, customers, and users. The CMS includes tools for collecting, storing, managing, updating, and presenting data on all configuration items and their relationships. The CMS is under the responsibility of configuration management and is used by all IT service management processes.

A record that contains the details of a configuration item. Each configuration record documents the lifecycle of an individual CI. Configuration records are stored in a configuration management database.

A consumer is any natural person who enters into a legal transaction that does not serve a commercial or self-employed professional activity.

A content provider agreement is an agreement between a provider of content hosted on the internet (content provider) and an internet user who wants to use the content. It regulates the rights and obligations relating to the creation, provision, licensing and use of the hosted content.

Areas where content provider agreements are frequently required can include:

1. Media and entertainment: e.g., contracts between music labels, film providers, or distribution partners such as television channels, streaming platforms, or even app stores.

2. Digital platforms: e.g., social media agreements, podcasts, or video hosting platforms (e.g., YouTube).

3. Software or technology: e.g., contracts between software developers and their customers, which regulate, among other things, how the software may be used and what support is provided.

4. Education sector: e.g., e-learning platforms.

Continual service improvement (CSI) is a phase in the life cycle of an IT service and the title of one of the ITIL core publications. CSI is responsible for managing improvements to IT service management processes and IT services. This includes continuously measuring the performance of the IT service provider and making improvements to processes, IT services, and IT infrastructure to improve efficiency, effectiveness, and cost-effectiveness.

A contract penalty is a sum of money that the debtor promises to pay to the creditor as a penalty in the event that the debtor does not fulfill its obligation or fulfills it improperly (§ 339 BGB). Such a penalty requires a special contractual agreement and is partially excluded by law.

Cookies are small text files that are created primarily by web browsers and websites to store individual user data. The cookie is stored on the user's local computer or in the browser when a website is visited. For example, the contents of the shopping cart can be stored in the cookie and retrieved again on the next visit to the website.

The right of the creator (author) of an individual intellectual work is protected by copyright law. The intellectual work includes both its content and its internal and external form.

If the author or holder of a usage right, patent, utility model, design, or trademark transfers his or her right in whole or in part to another person by contract, a license agreement is in place. The acquirer thereby obtains the rights of the transferor in full.

CRM-Data protection refers to data protection in connection with customer relationship management (CRM). CRM is a strategy and software application used by companies to manage customer relationships, track interactions with customers, manage sales opportunities and analyse customer data. As CRM systems contain a wealth of personal data about customers and potential customers, data protection is of great importance in this context.

Effective CRM-Data protection includes the following aspects:

1. Consent: Organisations should ensure that they obtain explicit consent from customers to store and process their personal data in a CRM system. This may mean informing customers how their data will be used and giving them the opportunity to authorise or reject this use.

2. Data security: Access to customer data stored in the CRM system should be restricted to authorised persons. Security measures such as encryption and access controls should be implemented to protect data from unauthorised access and misuse.

3. Data minimisation: Companies should only store the information in the CRM system that is required for the respective business purpose. Superfluous or no longer required data should be regularly deleted or anonymised.

4. Transparency: Customers should be informed about the use of their data in the CRM system and it should be easy for them to understand how they can exercise their data protection rights, including the right to access, correct and delete their data.

5. Data protection impact assessments: In some cases, particularly when processing sensitive data, it may be necessary to conduct data protection impact assessments to evaluate risks to customer privacy.

6. Compliance with data protection laws: Companies must comply with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR), and other local regulations. This includes reporting data breaches to supervisory authorities when required.

Cyber Defence refers to the proactive measures that organisations take to protect their information technology systems from cyber attacks. This includes implementing security measures, monitoring networks, detecting attacks and responding quickly to security incidents.

Cyber security refers to the protection of computer systems, networks and data against cyber threats. This includes measures to prevent unauthorised access, detect security incidents and respond to attacks. The aim is to ensure the confidentiality, integrity and availability of information and to minimise potential damage from cyber attacks.

Data breach means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes incidents in which personal data is compromised, stolen or accidentally disclosed. In the event of a data breach, the controller is obliged to notify the competent data protection authority and, under certain circumstances, the data subjects. The data breach may result in legal consequences and fines, especially if appropriate security measures have not been taken. Not all ‘data breaches’ pose a risk to the data subjects. Whether a data breach has occurred should be legally examined.

Examples:

1. Loss or theft of devices: When a laptop, smartphone or other device containing personal data is stolen or lost.

2. Hacking or cyber attacks: When an attacker penetrates the IT infrastructure of a company or organisation and accesses data that they should not see.

3. Phishing attacks: When employees fall for fraudulent emails or websites and reveal their login credentials, resulting in unauthorised access to data.

4. Misconfiguration of databases and servers: when databases or servers are inadvertently configured to be accessible to unauthorised users.

5. Incorrect data transfer: if data is inadvertently sent to the wrong person or organisation.

6. Unauthorised access by internal employees: if employees who are not authorised access data.

7. Loss or disclosure of physical documents: When confidential documents are lost or fall into the hands of unauthorised persons.

Data processing is the use of data with the goal of extracting information from them. It begins with the collection or capture of data and continues through storage, transmission, change, or linking.

According to Article 28 of the General Data Protection Regulation (GDPR), a person who processes personal data on behalf of a controller is a processor. The controller and the processor must enter into a so-called data processing agreement, which regulates, among other things, how the processor performs its activities, what security measures it must take for the affected personal data, and what control rights the controller may exercise over the processor.

Data protection is the protection of individuals from the impairment of their personality rights through the handling of their personal data. The Federal Data Protection Act (BDSG) regulates the collection, processing, and use of personal data that is processed in information and communication systems or manually.

A data protection impact assessment (DPIA) is an instrument of data protection law that is used to assess the impact of planned data processing on the protection of personal data. The European Union's General Data Protection Regulation (GDPR) provides in Art. 35 GDPR for a DPIA if a planned data processing operation is likely to result in a high risk to the rights and freedoms of natural persons.

The DPIA is particularly important in situations where new technologies or processing methods are used that could increase the data protection risk. It helps to identify data protection problems and take appropriate measures to minimise risks.

A data protection impact assessment is intended to ensure that data protection-relevant aspects are already taken into account in the planning phase of data processing projects. It is an important safeguard to ensure that personal data is handled appropriately and in compliance with the law and that the rights and freedoms of data subjects are protected. Companies and organisations should carry out DPIAs carefully when planning data processing activities that could pose a high data protection risk.

Typically, a data protection impact assessment comprises the following steps:

1. Identification of data processing: Firstly, it is determined which data processing activities or projects require a DPIA. These can be extensive data processing activities such as databases, profiling systems or new technologies.

2. Data protection risk assessment: In this step, the potential impact of data processing on the data protection rights and freedoms of data subjects is assessed. This includes identifying potential risks and the likelihood of them occurring.

3. Risk minimisation measures: Based on the assessment of data protection risks, suitable measures are taken to minimise these risks. This may include the implementation of data protection techniques and procedures, pseudonymisation, encryption, access controls or other security measures.

4. Consultation with the data protection supervisory authority: In some cases, the GDPR requires that the data protection supervisory authority be consulted before any planned data processing begins. This is necessary if the risk to data protection rights and freedoms is high and the measures taken are not sufficient to mitigate this risk.

5. Documentation: The results of the DPIA and all measures and consultations taken must be carefully documented. This serves to prove compliance with the GDPR.

Data protection law refers to the area of law that deals with data protection.

The purpose of data protection law is to guarantee the right to informational self-determination and to ensure the protection of personal data.

A data protection management system (DPMS) is a systematic approach to managing, securing and monitoring personal data in a company or organisation. The aim of a DPMS is to ensure that personal data is protected and processed in accordance with the applicable data protection regulations. It helps to minimise data protection risks and ensure compliance with data protection regulations.

The General Data Protection Regulation (GDPR) requires the appointment of a data protection officer in organizations that process personal data. The data protection officer is responsible for ensuring compliance with the GDPR and other data protection laws (e.g., BDSG).

A data protection policy (also known as a privacy policy) under the General Data Protection Regulation (GDPR) is a document created by companies and organisations to define and communicate their internal data protection practices and guidelines. This policy is intended to ensure that the processing of personal data is carried out in accordance with the requirements of the GDPR and that the data protection rights of the data subjects are safeguarded.

Data transfer to third countries, also referred to as transfer of personal data to third countries, refers to the transfer of personal data from a member state of the European Union (EU) or the European Economic Area (EEA) to a country outside the EU or EEA. This is an important term in the context of the European Union's General Data Protection Regulation (GDPR).

The GDPR contains specific provisions on the transfer of personal data to third countries, as these countries may not offer the same level of data protection as the EU. The GDPR allows the transfer of personal data to third countries under certain conditions:

1. Adequacy decision: the European Commission may decide that a third country offers an adequate level of protection for personal data. In this case, the transfer to this country can take place without further authorisation.

2. Adequate safeguards: If there is no adequacy decision, personal data can be transferred to a third country if adequate safeguards for the protection of the data are in place. This may involve contracts with standard data protection clauses (standard contractual clauses) being concluded between the parties to ensure that data protection standards are met.

3. Binding Corporate Rules (BCR): Multinational companies can develop and have approved BCRs that can be used for the transfer of data within the group of companies to third countries.

4. Requests for information from third countries: If a third country requests access to personal data, companies must ensure that they comply with the requirements of the GDPR and consult the data protection supervisory authority if necessary.

5. Consent of the data subject: The data subject can give their express consent to the transfer of data to a third country.

In legal terms, data security refers to the measures and procedures taken to protect personal data from unauthorised access, loss, theft, damage or unauthorised disclosure. Data security is an important aspect of data protection law and is covered in detail in various data protection laws and regulations, including the European Union's General Data Protection Regulation (GDPR).

The data subject access request is based on the right to access under Article 15 of the General Data Protection Regulation (GDPR). This gives everyone the opportunity to find out which personal data a company stores about them. The data subject access request is therefore the request from (affected) persons for confirmation of whether personal data concerning them are being processed.

In data protection law, data subject rights, or the rights of the data subject, refer to the rights of each individual vis-à-vis the controller responsible for the processing. The GDPR aims to expand these rights. Data subject rights include, among others, the information obligations (Art. 13, 14 GDPR), the right to access (Art. 15 GDPR), the right to erasure (Art. 17 I GDPR), and the right to data portability (Art. 20 GDPR).

A declaration of consent under data protection law, often also referred to as data protection consent or declaration of consent, is a written or electronic document in which a natural person gives their express consent to the processing of their personal data for specific purposes.

A Deletion Concept according to the General Data Protection Regulation (GDPR) is a strategic plan or documentation created by companies and organisations to ensure that personal data is deleted properly and in a timely manner in accordance with the data protection regulations of the GDPR. This policy defines the processes and guidelines required to delete personal data once it is no longer needed for the purposes for which it was collected or processed.

Demand management is a set of activities that focus on the customer's need for services and influence both the need and the provision of capacity to meet that need. At a strategic level, demand management can include the analysis of business activity patterns and user profiles. At a tactical level, it can use differentiated charging to encourage customer use of IT services during times of lower utilization.

Deployment is the activity that is responsible for the transition of new or changed hardware, software, documentation, processes, etc. into the live environment. Deployment is part of the Release and Deployment Management process.

A design is a two-dimensional pattern or three-dimensional model that is protectable for the rights holder as a new and distinctive product. The right of the designer to his design is protected by the Design Act (DesignG, formerly: Design Law).

A domain is a unit of organization in the Internet and a contiguous part of the Domain Name System. With a qualified domain name, any website can be uniquely addressed worldwide. Domains are centrally managed and registered by the DENIC eG in Germany.

Double opt-in is a two-step consent process, for example for the sending of a newsletter. At the first level, the user enters their email address into a distribution list (single opt-in) and receives a confirmation email with the opportunity to confirm the registration. Only after the second step is the newsletter subscription considered to be completed.

E-commerce generally refers to trade on the internet. If an entrepreneur uses telecommunications to conclude a contract for the delivery of goods or the provision of services, a so-called contract in electronic commerce is concluded, for which special regulations apply.

A change that must be implemented as soon as possible, for example to resolve a major incident or install a security patch. The change management process usually provides a specific procedure for handling emergency changes.

Employee data protection refers to the protection of personal data of employees or workers in a company or organisation. This aspect of data protection aims to protect the privacy of employees in a company or organisation and to ensure that their personal data is handled appropriately and lawfully.

Employee data protection covers various aspects, including

1. Personal data: Organisations collect and process a variety of personal data about their employees, including names, addresses, dates of birth, national insurance numbers, bank details, salary information, health data and more. Protecting this data is critical to maintaining employee privacy.

2. Consent: In some cases, employee consent may be required to process certain types of data. For example, this may apply to health data or employee monitoring data

3. Transparency: Companies should inform employees about what data is collected about them, how this data is used and what rights they have in relation to their data.

4. Security: It is important to take appropriate security measures to protect the confidentiality and integrity of employee data. This can include encryption, access controls and data security policies.

5. Purpose limitation: Employee data should only be processed for the purposes for which it was collected. The processing of employee data should not go beyond the fulfilment of work-related tasks, unless there is explicit consent or a legal basis.

6. Data minimisation: Companies should only collect and store the data of their employees that is necessary for the fulfilment of work-related tasks and compliance with legal requirements.

7. Employees' rights: Employees have the right to access their own data, the right to rectification of inaccurate data, the right to erasure (under certain conditions), the right to data portability and the right to object to the processing of their data in certain cases.

An enterprise is an organization in which an employer, with his or her employees, pursues certain work-related purposes with the help of intangible and tangible assets under unified management.

An entrepreneur is a natural or legal person or a legal entity that enters into a legal transaction for a purpose that serves its commercial or self-employed professional activity.

An ERP system (Enterprise Resource Planning) is an integrated software solution that centrally controls and optimizes all important business processes such as finance, human resources, production and logistics in a company. It enables real-time access to data and improves efficiency through the automation and transparency of processes. Companies use ERP systems to better manage resources, make more informed decisions and increase overall performance.

An event is a change in status that is significant for the management of a configuration item or IT service. The term "event" also refers to an alarm or notification from an IT service, a configuration item, or a monitoring tool. IT operations staff typically need to take action on events, and events often lead to the identification of incidents.

The process responsible for managing events throughout their lifecycle. Event management is one of the most important activities of IT operations.

An exclusive right of use in copyright law gives the licensee the sole right to use a work in a specific way and for a specified period of time, whereby the author cannot grant any further rights of use to others. It means that only the licensee is authorised to use the work, while the author himself may not exercise these rights or pass them on to third parties. This exclusive right of use can often lead to higher licence fees and gives the licensee greater control over the use of the work.

The function responsible for the physical environment in which the IT infrastructure is located. Facilities management encompasses all aspects related to the management of the physical environment, such as the power supply and cooling system, access management for access rights, and environmental monitoring.

File sharing refers to the sharing of digital files, such as music, videos or software, between different users via a network, often the internet. It can be both legal and illegal, depending on whether the files shared are protected by copyright and whether the relevant licences or permissions have been obtained. File sharing can be done through special programmes or platforms that allow users to exchange files directly or share them in peer-to-peer networks. In many countries, including Germany, such illegal activities can lead to legal consequences, including warnings, claims for damages and even criminal prosecution.

The functions and processes responsible for managing the requirements of an IT service provider for budgeting, costing, and chargeback.

Violations of laws can either be administrative offenses or even criminal offenses and are in many cases punishable by a fine. If the imposition of a fine is considered, a penalty procedure will be initiated under the Administrative Offences Act (OWiG) of Germany.

In commercial law, the firm is the name under which a merchant operates its business and signs its documents.

The General Data Protection Regulation (GDPR) is a data protection regulation of the EU. It establishes harmonized rules for the processing of personal data by private companies and public authorities throughout Europe. The new regulation aims to guarantee better protection of the individual's personality rights.

The general right to personality (APR) under Article 2(1) in conjunction with Article 1(1) of the German Basic Law (GG) is a comprehensive right to respect, development, and expression of one's personality. The protection of the various spheres of a person's personality (social, private, and intimate spheres) is therefore differently pronounced.

General terms and conditions (GTC) are all pre-formulated contract terms that are used for a variety of contracts and that one party to the contract (the drafter) presents to the other party when concluding a contract. Such clauses are subject to substantive control under §§ 305 to 310 of the German Civil Code (BGB).

An imprint is a legally required statement on websites, in publications or in business communications that contains information about the provider or operator. It serves to ensure transparency and traceability by providing contact details, legal representatives and information on liability and responsibility. In many countries, such as Germany, a complete and correct legal notice is mandatory, especially for business websites, in order to comply with legal requirements.

The process responsible for managing the lifecycle of all incidents. The primary goal of incident management is to restore the IT service for users as quickly as possible.

The process responsible for managing the lifecycle of all incidents. Incident management ensures the swift restoration of normal service operations and the minimization of impact on the business.

A record that contains the details of an incident. Each incident record documents the lifecycle of an individual incident.

An incident is an unplanned interruption or reduction in the quality of an IT service. Even the failure of a configuration item without any current impact on a service is an incident.

Industrial property law refers to all legal norms that protect industrial intellectual property and related interests. These include utility model law, design law, trademark law, patent law, and competition law.

The process that ensures the confidentiality, integrity, and availability of an organization's assets, information, data, and IT services. Information security management is typically part of an organizational approach to security management that goes beyond the scope of the IT service provider and includes the management of paper-based documents, access rights, phone calls, etc. for the entire organization.

The framework of policies, processes, standards, guidelines, and tools that ensures that an organization can achieve its objectives in terms of information security management.

The right to informational self-determination is the right of an individual to decide, in principle, how their personal data is collected and used.

The insolvency proceeding is a legal process that is designed to ensure that the creditors of an insolvent debtor are fairly treated. In an insolvency proceeding, the debtor's assets are liquidated and the proceeds are distributed to the creditors. In some cases, an insolvency plan may be created that allows the debtor to remain in business and repay its debts over time.

Internet Service Providers (ISPs) are companies, businesses, or organizations that offer services, content, or technical services that are required for the use, operation, or presentation of content and services on the Internet.

Internet Protocol (IP) addresses are used to transport data from the sender to the intended recipient. They are assigned to devices connected to the network, making them addressable and reachable.

IT law, short for information technology law, is an area of law that deals with legal issues relating to information technology and digital communication technologies. It covers a wide range of legal topics that are regulated in various laws.

The function responsible for monitoring and controlling IT services and IT infrastructure.

The function within the IT service provider that performs the daily activities required to manage IT services and support the IT infrastructure. IT Operations Management includes IT Operations Control and Facilities Management.

An IT Security Incident is an event in which the security of information technology systems or data is compromised. This can occur through unauthorised access, data leaks, malware attacks or other cyber threats. An incident often requires rapid detection, analysis and response to minimise potential damage and restore IT security.

IT Security Law comprises legal provisions and regulations aimed at ensuring the security of information technology systems and data. It regulates aspects such as data protection, cybersecurity, liability and compliance.

The implementation and management of quality-based IT services that meet the needs of the business. IT service management is performed by IT service providers using a suitable combination of people, processes, and information technology.

The IT Infrastructure Library (ITIL) is a collection of publications that describe a possible implementation of IT service management and is now considered the de facto standard for it.

Knowledge management is the process of collecting, analyzing, storing, and sharing knowledge and information within an organization. The main purpose of knowledge management is to improve efficiency by avoiding the need to recreate existing knowledge.

A known error is a problem for which the underlying cause and a workaround have been documented. Problem management is responsible for the creation and management of known errors throughout their life cycle. Known errors can also be identified by development or suppliers.

A database that contains all records of known errors. This database is created by problem management and used by incident and problem management. The Known Error Database is part of the Service Knowledge Management System.

A record that contains the details of a known error. Each record of a known error documents the life cycle of a known error, including the status, underlying cause, and workaround. In some implementations, a known error is documented using additional fields in a problem record.

‘Critical infrastructures (KRITIS) are organisations and facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.’ BSI - General Information on KRITIS (bund.de)

In a leasing contract, the lessor is obligated to provide the lessee with the use of an object for a fee. Legally, it is an atypical lease contract in which the lessee assumes liability for the object and the lessor transfers his claims against third parties to him.

Legal capacity means the ability to be an independent bearer of subjective rights and obligations. All natural and legal persons are legally capable, and some partnerships are also legally capable.

A legal framework sets out the basic laws, rules and principles that govern a particular activity or topic. It provides a clear legal context and defines the structure, responsibilities and rights associated with a particular area, such as data protection, IT security or corporate governance.

A legal remedy is any means of recourse that is permitted by the legal system to challenge an administrative or judicial decision, or a disadvantageous legal situation.

Legal tech is a combination of the terms "legal services" and "technology". It refers to the application of modern, computer-assisted, digital technologies to law. The goal is to simplify legal research, application, access, and management.

A licence in copyright law is a contractual permission that allows a third party to use a copyrighted work in a certain way and within a defined framework. The licence can cover various types of use, such as reproduction, distribution or public performance, and can be limited in time and territory. Depending on the type of licence, the licensee may receive exclusive or non-exclusive rights, with the exact conditions and fees being specified in the licence agreement.

Liquidation is the process of winding up a company, association, partnership, cooperative, or other legal entity. The goal of liquidation is to satisfy the creditors of the entity. If a different form of liquidation is chosen for a partnership, or if an insolvency proceeding is commenced, then liquidation does not occur.

The list of processing activities is mandatory for all companies covered by Article 30 of the GDPR. It serves as the basis for meeting the proof obligations for the processing of personal data and creating appropriate transparency. It should contain the personal data, the type of processing, and the technical and organizational measures to protect this data.

Malware is software that is designed to harm computer systems and perform unwanted functions on behalf of the user. This includes viruses, Trojans, and worms.

Managed service refers to an outsourcing practice in which a service provider assumes responsibility for certain business processes or IT services of a company. This often includes monitoring, maintenance, updates and support.

The storage of personal data by or for public authorities without the need for them to be currently needed is referred to as Vorratsdatenspeicherung. In the area of telecommunications services, this concerns the storage of certain connection data on stock, without the need for a reasonable suspicion or a specific danger.

A company is considered to have a dominant market position if it is the only supplier or customer on the relevant market, or if it is not exposed to any significant competition, or if it has a superior market position compared to its competitors.

A media authority is an independent, state authority responsible for the regulation and supervision of broadcasting and digital media in a specific area. It monitors compliance with legal provisions, issues broadcasting licenses and ensures that diversity of opinion is maintained. In Germany, the state media authorities are responsible for monitoring private broadcasters.

German commercial law defines a merchant as a person who operates a commercial business or whose commercial enterprise is considered a commercial business. The provisions of the German Commercial Code apply to merchants.

A monopoly exists when there is only one supplier of an economic good. The German Competition Act (GWB) is intended to prevent such concentration of supply or demand.

According to the German Telecommunications Act (TKG), network access means the physical and logical connection of an end device to a telecommunications network or of telecommunications networks to each other. Network access is subject to special abuse supervision.

The NIS2 Directive, short for Network and Information Systems Directive 2, is a European directive on cyber security. It aims to strengthen the security of network and information systems in the European Union. NIS2 is a further development of the original NIS Directive and contains provisions for reporting security incidents, improving cooperation between member states and strengthening the cyber security of critical infrastructures. It sets out requirements for operators of essential services and digital service providers to increase their resilience to cyber attacks.

A non-compete clause is a restriction on a person's commercial activity in favor of other entrepreneurs in the same field. In addition to statutory non-compete clauses, such clauses can also be agreed upon contractually.

A Non-Disclosure Agreement (NDA) is an agreement between two or more parties that regulates the exchange of sensitive information, also known as a confidentiality agreement or non-disclosure agreement. It stipulates that the parties involved must treat the information received confidentially and may not disclose or use it without the consent of the other party. NDAs are often agreed when initiating a business deal in order to prevent the disclosure of business secrets.

A non-exclusive licence in copyright law allows the licensee to use a work in a specific way and for a specified period of time without transferring the copyright to the work. It is limited to the use of the work by the licence holder and excludes permission for others to grant the same rights. The non-exclusive right of use can be non-exclusive, i.e. the author can also make the work available to other users.

A patent is an exclusive right granted by the state to an inventor or their legal successor to use an invention. A patent can cover a technical manufacturing or application process or a product and its design. Patents are limited in time.

Personal data are all information that relates to an individual or is at least identifiable and thus allows inferences about their personality. Special personal data are those that are particularly sensitive. These include, among others: information about ethnic and cultural origin, political, religious, and philosophical beliefs, health, and sexuality.

Preliminary legal protection is the possibility of temporarily securing one's subjective rights in urgent cases in an accelerated procedure. If it is to be feared that the violation of rights will continue until the decision in the main case, an appeal to the court in the main case does not provide sufficient legal protection. In particular in competition law, preliminary legal protection has largely replaced main proceedings.

"Privacy by default" is another important concept in the European Union's General Data Protection Regulation (GDPR). It requires that data protection measures and settings in products and services are designed from the outset to ensure the highest possible level of privacy for users by default. This means that privacy settings do not need to be manually configured to protect privacy. Instead, privacy protection should be automatic and guaranteed from the outset.

‘Privacy by design’ is a concept that is anchored in the European Union's General Data Protection Regulation (GDPR). It requires data protection and data security to be integrated into the development of products, services, systems and business processes right from the start. This means that data protection should not be added as an afterthought or an afterthought, but must be incorporated into design and development from the outset.

In a Privacy Policy, the company provides information about the purpose for which it collects data from data subjects, who receives it and how it is processed. It also explains where the processing takes place and what rights the data subject is entitled to. It is a written (text form is sufficient) declaration drawn up by companies and organisations to disclose their data protection practices and policies. According to the GDPR, companies and organisations that process personal data are obliged to provide transparent information about the use of this data. The privacy policy is an important tool to ensure this transparency. A privacy policy in accordance with the GDPR should contain at least the following information

1. Contact information of the controller: The statement should include the name and contact details of the data controller (usually the company or organisation).

2. Purpose of data processing: The privacy policy should explain the purpose for which the personal data is collected and processed. This may include, for example, contract fulfilment, customer care, marketing activities or other legitimate business purposes.

3. Legal basis: It should specify the legal basis for the data processing, e.g. the consent of the data subject, the fulfilment of a contract or the protection of legitimate interests.

4. Data categories: The types of personal data being collected should be detailed, e.g. name, address, email, payment information, etc.

5. Duration of data storage: The statement should specify how long the data will be stored or the criteria used to determine this duration.

6. Rights of data subjects: The privacy statement should explain the rights of data subjects under the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability and objection.

7. Data Protection Officer: If applicable, the privacy policy should include information on how to contact the Data Protection Officer (DPO)

8. Right to lodge a complaint: The statement should indicate how data subjects can contact the data protection supervisory authority in the event of data protection violations or discrepancies.

9. Data transfer and recipients: It should explain whether and to whom personal data is transferred, e.g. to third parties or to third countries.

10. Security measures: The privacy policy should contain information about the security measures taken to protect the data.

The process that is responsible for the management of the lifecycle of all problems. The primary objective of Problem Management is to prevent incidents or to minimize the impact of incidents that cannot be prevented.

A record that contains the details of a problem. Each Problem Record documents the lifecycle of a single problem.

A problem is the underlying cause of one or more incidents. At the time of creating a problem record, the cause is typically unknown. The Problem Management process is responsible for further investigation.

A procuration is a type of commercial power of attorney that authorizes the procurator by law to perform all legal transactions and acts that are associated with the operation of a commercial enterprise. If a procuration is granted, the owner of the commercial enterprise must register it in the commercial register (§ 53 (1) of the German Commercial Code).

A protective letter is a document that a party submits to the court in order to arm itself in advance against possible legal disputes, particularly in the case of impending interim injunctions or other interim measures. It serves to present one's own position and to document why a certain measure would not be justified. The protective letter can help to prevent a quick and unwanted legal injunction and is particularly useful in disputes where an immediate court decision is imminent.

Provisions are amounts that are recorded on the liability side of the balance sheet of a commercial enterprise to offset expected losses, uncertain liabilities, or pension payments.

Pseudonymization, as defined in Article 4 of the General Data Protection Regulation (GDPR), is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and must be subject to technical and organizational measures so that it cannot be used to attribute the data to the data subject.

"A collection of hardware, software, documentation, processes, or other components that are required to implement one or more approved changes to IT services. The contents of each release are managed, tested, and implemented as a unit." (itSMF, ITIL Version 3 Translation Project, 2007, p. 40)

"The process that is responsible for both release management and deployment." (itSMF, ITIL Version 3 Translation Project, 2007, p. 40)

"The process responsible for planning, scheduling, and controlling the transition of releases to test and live environments. The primary objective of release management is to ensure that the integrity of the live environment is maintained and that the correct components are included in the release. Release management is part of the release and deployment management process." (itSMF, ITIL Version 3 Translation Project, 2007, p. 41)

The term relevant market is used in competition law to distinguish between the markets that are relevant for legal application. The following distinctions are made:

In particular, in the case of trademarks, competition, and copyright law, there is a presumption that after a single infringement, a similar violation will be committed again. The single infringement thus constitutes a risk of repetition. This can be eliminated by the submission of a penally enforceable cease and desist letter.

Representation is the act of one person (the representative) acting for another (the represented) in the field of legal transactions. If the prerequisites for representation are met, the declaration of intent made by the representative in the name of the represented person has an immediate effect for and against the represented person.

"The process responsible for managing the lifecycle of all service requests." (itSMF, ITIL Version 3 Translation Project, 2007, p. 41)

The right to informational self-determination is recognized by the Federal Constitutional Court as an expression of the general right to personality from Article 2 (1) in conjunction with Article 1 (1) of the Basic Law. It guarantees the individual's right to generally decide for themselves about the disclosure and use of their personal data.

The Social Code grants everyone the right to be advised by social authorities about their rights and obligations under the Social Code. If the authority advises the citizen incorrectly or incompletely and this causes the citizen a disadvantage, the citizen may, under the conditions of the social legal right to restoration, demand to be placed in the same position as they would have been in if they had been properly advised.

The right to the protection of the confidentiality and integrity of information technology systems (also known as the IT basic right) protects against access to information technology systems that allow insights into essential parts of a person's life or contain a meaningful image of the personality. The Federal Constitutional Court recognizes this right as an expression of the general right to personality from Article 2 (1) in conjunction with Article 1 (1) of the Basic Law.

The term ‘sector-specific data protection’ refers to the protection of personal data in a specific area or sector. It means that data protection measures and practices are specifically tailored to the requirements and characteristics of that particular area or sector.

The process that is responsible for both configuration management and asset management.

The activity that gathers insights into the performance and capacity of IT services. The resources used by each IT service, as well as their usage patterns, are captured, recorded, and analyzed over a period of time for use in capacity planning.

A database or a structured document with information on all live IT services, including services that are available for deployment. The service catalog is the only component of the service portfolio that is delivered to customers. It supports the sales and delivery of IT services. The service catalog includes information on service deliverables, prices, orders, requests, and contact information.

A service contract is a bilateral contract in which one party is obligated to provide the promised services and the other party is obligated to pay the agreed compensation (§ 611 BGB). In contrast to a work contract, only the mere performance is owed.

Documents that define all aspects of an IT service, including its requirements for each phase of the IT service lifecycle. A service design package is created for new IT services, comprehensive changes, and the retirement of IT services.

The single point of contact for communication between the service provider and users. A service desk typically handles incidents and service requests and is responsible for communicating with users.

A collection of tools and databases that are used to manage knowledge and information. The SKMS includes the configuration management system as well as other tools and databases. The SKMS stores, manages, updates, and presents all information that an IT service provider needs to manage the entire lifecycle of IT services.

The process that is responsible for negotiating and ensuring the compliance of service level agreements. SLM should ensure that all IT service management processes, operational level agreements, and underpinning contracts are appropriate for the agreed service level objectives. SLM is responsible for monitoring and reporting on service levels, as well as conducting regular customer reviews.

A request from a user for information, advice, a standard change, or access to an IT service. This could include, for example, resetting a password or providing standard IT services for a new user. Service requests are typically handled by a service desk and do not typically require the submission of an RFC.

A severance payment is a one-time (usually monetary) payment to discharge legal claims. In labor law, severance pay is a special payment that an employee receives upon termination of the employment relationship for the loss of their job. However, there is no general right to payment of severance pay.

SLA stands for Service Level Agreement. It is a contractual agreement between a service provider and a customer that defines the agreed services, standards and expectations. SLAs define certain performance indicators, such as response times, availability and support, in order to guarantee the quality of the services provided, e.g. for data centre services.

A specialist lawyer is a lawyer who has specialized knowledge in a particular area, such as IT law. The bar association grants the right to use this designation on the basis of evidence of corresponding theoretical knowledge and practical experience.

A straw man is a person who is put forward by the actual business owner and acts in the public eye in their own name, but in reality in the interests of the business owner. The business owner, not the straw man, is immediately entitled and obligated from the concluded business.

The process is responsible for ensuring that all contracts with suppliers support the business requirements and all suppliers meet their contractual obligations.

Telemedia are electronic information and communication services that are offered via the internet or other electronic networks, such as websites, emails, streaming services and online stores. They include both editorial content and commercial offers, but do not fall under traditional broadcasting. In Germany, telemedia is regulated by the Telemedia Act (TMG), which sets out requirements for data protection, the obligation to provide a legal notice and the protection of minors

Termination is the unilateral termination of a long-term contractual relationship by a termination notice with effect for the future. A distinction is made between ordinary and extraordinary termination. Regulations on ordinary termination can be found in the law for the individual types of contracts, such as employment or service contracts.

A testimonial is a positive statement or recommendation from a person, often a customer or celebrity, that confirms the quality of a product or service. It serves as credible proof of effectiveness or benefit and is often used in advertising or on websites. Testimonials are intended to strengthen the trust of potential customers and positively influence their purchasing decision.

A third country within the meaning of the GDPR is a country that is located outside the European Union. Increased requirements must be met for the admissibility of the transfer of personal data to recipients in third countries.

The German Telemedia Act (TMG) defines the legal framework for electronic information and communication services such as websites, online stores and social networks. Among other things, it regulates the obligations of service providers with regard to data protection, liability, imprint obligations and the protection of minors. The aim of the TMG is to ensure the safe and responsible use of digital media and to protect the rights of users.

Technical and organisational measures (TOM) are a central component of data protection and data security law. TOM refers to the specific steps and precautions that organisations must take to adequately protect personal data. This includes technical security measures such as encryption, access controls and data backup, as well as organisational measures such as data protection guidelines, training and the implementation of data protection impact assessments. TOMs are designed to ensure that personal data is protected against unauthorised access, loss, destruction or other data breaches.

A trade is any permitted, profit-oriented, and self-employed activity that is planned for a certain period of time. All companies in the trade, handicrafts, industry, and transportation sectors are businesses. Free professions and primary production are excluded from the definition of a trade.

In accordance with the German Trademark Act (MarkenG), all signs that are capable of distinguishing the goods or services of one company from those of another company are protected. Such marks are protected by registration in a trademark register maintained by the German Patent and Trade Mark Office.

A business transaction that is not recorded on the books and is therefore not subject to tax is called an under-the-table deal. If the main purpose of the transaction is to evade taxes, it is considered to be immoral and therefore void under § 138 of the German Civil Code.

A new invention that is based on an inventive step and is commercially applicable can be protected as a utility model. In contrast to a patent, a utility model requires less technical progress and less inventive height.

UWG (Unfair Competition Act) is a German law that regulates unfair commercial practices and aims to protect fair competition. It prohibits misleading advertising, aggressive sales tactics, and other practices that distort competition. The UWG ensures market transparency and protects the interests of both competitors and consumers.

A work contract is a bilateral contract in which the contractor is obligated to create the promised work, and the customer is obligated to pay the agreed compensation (§ 631 BGB). In contrast to a service contract, a result (the work) is owed.