Last updated: 14 February 2024
§ 1 OTTO Market
1.1 Otto (GmbH & Co KG), Werner-Otto-Strasse 1-7, 22179 Hamburg, Germany ("OTTO"), enables companies within the meaning of § 14 BGB (Civil Code) ("DEALERS") to sell products in their own name and for their own account via the seller platform ("Marketplace") operated by OTTO on the website http://www.otto.de to consumers within the meaning of § 13 BGB (Civil Code). OTTO provides the DEALERS with a central platform for managing activities on the Marketplace ("OTTO Partner Connect" or "OPC") via the URL.portal.otto.market. In addition, OTTO enables the DEALERS under certain conditions to handle their management-relevant processes on the Marketplace (in particular product data maintenance, order processing, etc.) ("Marketplace activities") via a technical interface ("API").
§ 2 Subject matter of these Terms & Conditions
2.1 OTTO enables companies within the meaning of § 14 BGB ("SERVICE PROVIDER") to obtain access to OPC and/or to the API in accordance with these Terms & Conditions in order to be able to manage their Marketplace activities for the DEALER ("service provider program").
2.2 A separate contractual relationship is therefore required between the DEALER and the SERVICE PROVIDER, which regulates the authority of the SERVICE PROVIDER and its legal responsibility in relation to the DEALER. The SERVICE PROVIDER acts as a representative for the DEALER in managing Marketplace activities. The DEALER remains responsible to OTTO for managing the Marketplace activities and all related contractual obligations.
2.3 Reservation of the right to make amendments
2.3.1 Change process for minor amendments
OTTO is entitled to amend these Terms & Conditions according to the following process with effect for the future, insofar as the amendments are insignificant and do not affect the equivalence relationship between the parties. In this case, OTTO undertakes to inform the SERVICE PROVIDER of the amendments to the Terms & Conditions in text form at least 30 days before they come into effect. The SERVICE PROVIDER may object to the amendments up to the effective date at the latest. Alternatively, the SERVICE PROVIDER may terminate the contract before the amendments come into force with immediate effect or with effect from the date on which the amendments come into force. If the SERVICE PROVIDER does not object to the amendments or if the SERVICE PROVIDER does not terminate the contract by the date on which they come into force at the latest, the amendments shall be deemed to have been accepted. OTTO undertakes to inform the SERVICE PROVIDER of this right of termination and the legal consequences of silence in the notification. In the event of an objection by the SERVICE PROVIDER, OTTO reserves the right to terminate the contract with due notice.
2.3.2 Change process for significant amendments
Notwithstanding Section 2.3.1 and Section 14.1, OTTO is entitled to amend these Terms & Conditions at any time with effect for the future in accordance with the following process, insofar as the amendments are material and affect the equivalence relationship between the parties. In this case, OTTO proposes the amendments desired to the SERVICE PROVIDER in text form. The SERVICE PROVIDER is obliged to inform OTTO within 30 days of OTTO's notification in text form or via a provided user interface whether the SERVICE PROVIDER agrees to the proposed amendments or rejects them. If the SERVICE PROVIDER agrees to the amendments, these take effect from the time of approval. If the SERVICE PROVIDER does not agree to the proposed amendments, the Terms & Conditions shall continue to apply in their previous version; in this case, OTTO reserves the right to terminate the contract with due notice.
2.4 Relationship to other Terms & Conditions
The participation of the Dealers in the Marketplace is subject to the separate Terms & Conditions and a Payment Services Framework Agreement as amended from time to time ("Marketplace Terms & Conditions"). The use of OPC is subject to the separate "Terms & Conditions OTTO Partner Connect". Additional services offered under OPC, which the SERVICE PROVIDER may commission for the DEALER, may be subject to additional terms and Conditions. All existing contractual relationships between DEALER and OTTO remain unaffected by these Terms & Conditions.
§ 3 Use of the service provider program
3.1 Registration / access data
3.1.1 OTTO provides the SERVICE PROVIDER with access data to an account for the service provider program after registration. The granting of access to the service provider program is at the sole discretion of OTTO. The SERVICE PROVIDER is to store the access data provided securely and protect it from unauthorised access by third parties.
3.1.2 The SERVICE PROVIDER nominates a functional email address to OTTO, which may be used by OTTO to communicate with the SERVICE PROVIDER.
3.2 Test phase (only in the case of an API connection)
The SERVICE PROVIDER is obliged to compare the configuration of the API with its software in a test environment in order to ensure compatibility between the API and the SERVICE PROVIDER's software.
3.3 Assessment and acceptance by OTTO (only in the case of an API connection)
3.3.1 OTTO assesses the software used by the SERVICE PROVIDER with regard to compatibility, quality and (data) security. If the result of this assessment is positive, OTTO sends a confirmation to the email address provided by the SERVICE PROVIDER during registration. The parties expressly declare that the SERVICE PROVIDER remains solely responsible for the security and compatibility of its software despite the testing carried out by OTTO.
3.3.2 Should the SERVICE PROVIDER wish to make a fundamental adjustment or extension to the software after the review has been carried out, which restricts or improves the control of the DEALER's Marketplace activities, the SERVICE PROVIDER must inform OTTO of this via the email address partnerintegration@otto.market. OTTO reserves the right to conduct a new quality check of the scope of use of the API depending on the type and scope of the adaptation or extension. Basic adjustments include, for example, the addition of additional interfaces (products, receipts, orders, etc.).
3.4 Operating phase
3.4.1 In the case of an API connection, OTTO enables the SERVICE PROVIDER, with the cooperation of the respective DEALER, to establish a secure connection between the SERVICE PROVIDER and the DEALER and between the SERVICE PROVIDER and the API by generating authentication keys and tokens based on the so-called OAuth standard after successful completion of the test phase and acceptance.
3.4.2 SERVICE PROVIDERS who wish to obtain access to OPC on behalf of a DEALER are granted access by the DEALER using the invitation link generated by the SERVICE PROVIDER.
3.4.3 The respective DEALER determines the scope of content and time in which the SERVICE PROVIDER has access to the control of Marketplace activities. Any expansion of the scope of the Marketplace activities of the respective DEALER controlled by the SERVICE PROVIDER requires the separate consent of the respective DEALER.
3.4.4 The DEALER has the option of withdrawing or restricting the SERVICE PROVIDER's access at any time via OPC.
3.4.5 The SERVICE PROVIDER is responsible for all users who use the service provider program via the SERVICE PROVIDER's access.
3.5 Guarantees of the SERVICE PROVIDER
The SERVICE PROVIDER guarantees,
3.5.1 to use the OAuth standard for every data exchange with the API;
3.5.2 not to upload, provide or otherwise process any content or data in or via the service provider program that could impair the service provider program, the API, OPC, the Marketplace or other OTTO services, in particular illegal content or malware;
3.5.3 to be authorised by the respective DEALER to control the Marketplace activities to the extent required for this purpose;
3.5.4 to ensure that within the SERVICE PROVIDER's company only those employees who are qualified and designated to use the service provider program have access to it;
3.5.5 to create the technical prerequisites for the changeover to a new API version within the reasonable period communicated by OTTO;
3.5.6 to enable the Dealer to comply with the applicable Marketplace Terms & Conditions when carrying out Marketplace activities;
3.5.7 to answer and provide OTTO or third parties with complete and truthful information requested in connection with the use of the service provider program and to inform OTTO immediately of any amendments to this information.
3.6 Availability
OTTO endeavours to make the service provider program, OPC and the API available 24h/365 days. The availability of the service provider program, OPC and the API may, however, be limited by force majeure or by maintenance work or other downtimes.
3.7 Amendments to the service provider program, OPC or the API
3.7.1 OTTO may from time to time make amendments to the service provider program, OPC or API, which may occasionally include amendments that are not backward compatible. Insofar as these amendments allow for planning, OTTO undertakes to inform the SERVICE PROVIDER of the amendments in advance.
3.7.2 The SERVICE PROVIDER is responsible for making any necessary adjustments to its software and hardware at its own expense as a result of such amendments.
§ 4 Remuneration
Use of the service provider program is generally free of charge.
§ 5 Reporting of data leaks
The SERVICE PROVIDER is obliged to immediately report to OTTO by telephone (+49 040 6461-1666) and/or by email incident-alert@otto.de any detected or suspected data leaks or other incidents that are likely to compromise the security and integrity of the service provider program, OPC of the API, the Marketplace or the Marketplace activities.
§ 6 Access restrictions and other restrictions on the use of the service provider program, OPC and the API
6.1 In the event of a breach of these Terms & Conditions, or if this is necessary for reasons of security or integrity of the service provider program, OPC, the API, the Marketplace or the Marketplace activities, or due to justified suspicion, OTTO is entitled to temporarily or permanently restrict access to the service provider program, OPC and/or the API.
6.2 Restrictions or effects in the use of the service provider program, OPC and/or the API may also result from the fact that the use of the Marketplace is restricted for the respective DEALER in accordance with the Marketplace Terms & Conditions (e.g. in the event of product blocking due to violation of the Marketplace Terms & Conditions) or as a result of termination of the contract between OTTO and the DEALER, the connection of the DEALER to the API and/or OPC is deactivated.
§ 7 Duration and termination
7.1 The contract is concluded for an indefinite period and may be terminated at any time with one (1) month's notice to the end of each calendar month. The right to terminate the contract for good cause remains unaffected.
7.2 Notice of termination must be given at least in text form. The SERVICE PROVIDER may direct its notice of termination to partnerintegration@otto.market.
§ 8 Liability of OTTO and indemnification against claims
8.1 Insofar as the use of the service provider program is free of charge, OTTO's liability is governed by §§ 599, 600 BGB. Otherwise, the following Sections 8.2 to 8.5 shall apply to OTTO's liability.
8.2 OTTO is liable without limitation for intent and gross negligence, for injury to life, limb or health, in accordance with the provisions of the Product Liability Act and in the event of the assumption of a guarantee. OTTO is not liable for slightly negligent breaches of non-essential contractual obligations (cardinal obligations). A breach of a cardinal obligation is deemed to have occurred if a contractual obligation, the fulfilment of which is a prerequisite for the proper performance of the contract and on the observance of which the DEVELOPER may regularly rely, is not performed. In this case, however, liability is restricted to the type of predictable damage typically anticipated in this line of business.
8.3 Subject to Section 8.2 sentence 1, OTTO is not liable for loss of profit, loss of savings, indirect damages and consequential damages.
8.4 Subject to Section 8.2 sentence 1, OTTO's liability for data loss shall be limited to the usual restoration costs that would have been incurred if the SERVICE PROVIDER had made regular backup copies appropriate to the risks. In this respect, it is reasonable for the SERVICE PROVIDER to perform a separate backup of its data at least once a day.
8.5 With the exception of liability under Section 8.2 Sentence 1, the above limitations of liability are deemed to apply to all claims for damages, irrespective of their legal basis and including claims for damages in tort. The above limitations of liability also apply in the event of any claims for damages against employees, representatives or officers of OTTO.
8.6 The SERVICE PROVIDER is to indemnify OTTO upon first request against claims asserted by third parties, in particular the DEALERS, due to a breach of the warranties mentioned under Section 3.5 or due to a culpable breach of obligations arising from these Terms & Conditions.
§ 9 Confidentiality
9.1 The parties are obliged to maintain strict confidentiality with regard to all confidential information that comes to their knowledge in the context of this contract and the use of the service provider program, and the parties undertake to use the confidential information exclusively in connection with the developer program.
9.2 The respective party may only disclose the Confidential Information within its business operations to the management and such employees, consultants, subcontractors and other agents of its own business operations or the business operations of an affiliated company to the extent necessary for the permitted use of the Confidential Information under this Agreement.
9.3 Confidential information is information that is either marked as confidential or for which it may reasonably be inferred from its content or the circumstances that it is to be treated confidentially. In particular, the following data is considered confidential information: (a) information on current and future products or services; (b) financial, technical, operational, sales and marketing information; (c) information on industrial property rights, ideas, designs, software, analyses and know-how; (d) business secrets, plans, forecasts and reports, plans, strategies, offers, budgets, prices and costs as well as information on contractual partners and customers; (e) information relating to the skills, competencies and remuneration of employees, consultants and service providers; and (f) data of the SERVICE PROVIDER from the self-disclosure and data security check.
9.4 The parties undertake to obligate and supervise their employees, freelancers and other companies involved in accordance with the above provision.
9.5 The confidentiality obligation is deemed to apply beyond the period of this contract for a period of three (3) years.
§ 10 Use of logos / advertising
The SERVICE PROVIDER is only authorised to use OTTO or "OTTO Market" logos or the "OTTO" brand with the prior express consent of OTTO by email. The same applies to any advertising measures relating to OTTO, in particular with the name "OTTO" or "OTTO Market".
§ 11 Data protection and data security
11.1 OTTO transmits the purchase/order information (purchase data) of the DEALERS who sell products via the Marketplace in their own name and on their own account to the DEALERS via OPC and/or the API as part of order processing within the meaning of Art. 28 GDPR.
11.2 If a DEALER decides to have the purchase data collected by a SERVICE PROVIDER via OPC and/or the API, the SERVICE PROVIDER shall act as a processor within the meaning of Art 28 GDPR for the DEALER. OTTO is not affected by this contractual and data protection situation.
11.3 In the case of Section 11.2 S.1, the SERVICE PROVIDER undertakes
· to conclude a corresponding agreement with the DEALER on order processing that satisfies the statutory requirements of Art 28 GDPR, and
· take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons when processing data pursuant to Art. 32 GDPR, appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Further details on the measures to be taken into account are provided in Appendix A.
· Should the SERVICE PROVIDER use subcontractors in the context of processing the data and should these subcontractors act as processors within the meaning of Art 28 GDPR, the SERVICE PROVIDER shall conclude an agreement with the subcontractors on order processing in accordance with the legal requirements. If a third party processes the data as the data controller under data protection law, the party is to conclude data protection provisions with the third party that correspond to these provisions. Data may only be transferred to third parties in compliance with the relevant legal requirements.
The SERVICE PROVIDER undertakes to develop and keep up to date a strategy or action plan to detect and eliminate potential security vulnerabilities. The SERVICE PROVIDER is also obliged to secure physical hardware that stores personal data against technical risks by regularly carrying out vulnerability scans and addressing identified risks. Scans to detect vulnerabilities must be performed at least every 180 days or penetration tests at least every 365 days. A check for potential vulnerabilities is mandatory before every code release. The SERVICE PROVIDER is to monitor amendments to storage hardware.
§ 12 Audit law
OTTO or a company selected by OTTO may, upon request, check records, facilities, processes, software and security systems for information security in connection with the use of the software provided by the SERVICE PROVIDER or other systems for which the SERVICE PROVIDER is responsible. The SERVICE PROVIDER undertakes to make any available test reports accessible to OTTO upon request. Confidential information disclosed in the course of such audits is treated confidentially by OTTO. The SERVICE PROVIDER provides support during the inspection and is to remedy any defects within a reasonable period of time. The SERVICE PROVIDER undertakes to submit evidence of the repair in the form requested by OTTO and to have it confirmed by OTTO.
§ 13 Feedback
OTTO may ask the SERVICE PROVIDER for feedback on the service provider program. The use of feedback from the SERVICE PROVIDER is at the sole discretion of OTTO. Insofar as the SERVICE PROVIDER's feedback contains content that is capable of being protected by intellectual property rights, the SERVICE PROVIDER shall grant OTTO a simple, perpetual, non-revocable and free-of-charge right to use the corresponding components of the feedback.
§ 14 Final provisions
14.1 Amendments and additions to this contract - with the exception of Section 2.3 of these Terms & Conditions, including this Section - are to be in the written form.
14.2 Should any provision of this contract be wholly or partially in breach of statutory regulations or be void for other reasons, the validity of these Terms & Conditions remains otherwise unaffected. The void or ineffective provision is to be replaced by mutual agreement by an effective provision which comes as close as possible to the economically intended purpose of the ineffective provision.
14.3 This contract is governed exclusively by the laws of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods and private international law. The exclusive place of jurisdiction is the respective competent court responsible for OTTO's registered office.
Appendix A
Technical and organisational measures
The SERVICE PROVIDER undertakes to ensure the legally required security measures in the area of the processing of personal data in accordance with the order and to provide OTTO with evidence of such measures upon request. The following special technical and organisational measures are observed during processing:
1. Confidentiality
a) Access control (e.g. for buildings and rooms; to cabinets and shafts)
Minimum measures to prevent unauthorised individuals from gaining access to data processing systems which are used to process personal data:
- Secure locking system
- Access control system
- Monitoring equipment, possible establishment of safety zones
b) System access control (no unauthorised system use, for example, unauthorised startup or unauthorised logon to systems). Minimum measures with which the use of data processing systems by unauthorised persons is prevented:
- Secure authentication mechanisms (secure password plus extended functions such as multi-factor authentication)
- Automatic locking, logout in case of prolonged non-use
- Firewall
- Virus protection
c) Access control (running applications, preventing unauthorised activities in DP systems and access to data, applications and interfaces)
Minimum measures to ensure that persons authorised to use a data processing system only have access to the data subject to their access authorisation and that personal data is not read, copied, modified or removed without authorisation during processing, use and after storage:
- Differentiated authorisations for the DP systems (profiles, roles)
- Vulnerability management including regular security updates (check for updates at least monthly, ad hoc in the event of serious vulnerabilities)
- Implemented and effective erasure concepts
- Use of suitable encryption (encryption at rest, within the application, in transport)
- Logging, monitoring and alerting of login attempts
d) Separation control Minimum measures to ensure that personal data collected for different purposes and for different clients are processed separately.
- Logical storage of customer data by data controller
- Test and production data must be processed in separate systems
2. Integrity
a) Transfer control
Minimum measures to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or while being transported or stored on data media:
- State-of-the-art encrypted transmission (in, within and outside cloud environments) and storage
- Active monitoring and log management
b) Input control (traceability, documentation)
Minimum measures to ensure that it is possible to verify retrospectively whether and by whom personal data may be entered, modified or removed in data processing systems:
- Data amendments only possible if authenticated and authorised
- Logging, monitoring and alerting of data amendments
- Authenticated and authorised access controls
3. Availability
Minimum measures to ensure that personal data is protected against accidental destruction or loss, against technical malfunctions caused by the failure of the operating/application software, against negligent/intentional acts, against malicious software:
- Regular backups, regular recovery exercises
- Software that offers protection against malware
- Business impact analysis and appropriate scalability of infrastructure and services
- Contingency plan for rebuilding IT systems that process personal data
- DDoS protection