The service provider provides services for the controller on the basis of a separate contractual relationship.
This contract is concluded between the parties in order to ensure adequate protection of personal data (hereinafter also referred to as "data") in situations in which this data is transferred from the Controller to the Processor for the purpose of processing.
Furthermore, this contract supports the parties in complying with the applicable regulations on the processing of personal data, in particular in accordance with the Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR) (hereinafter "applicable data protection provisions").
In addition to the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, the Swiss Federal Act on Data Protection (FADP) also applies. Wherever reference is made to the GDPR in these standard contractual clauses, the analogous FADP regulation shall apply
The controllers and processors have agreed to these clauses to ensure compliance with the provisions of Article 28(3) and (4) of Regulation (EU) 2016/679 and/or the provisions of Article 29(3) and (4) of Regulation (EU) 2018/1725.
These clauses apply to the processing of personal data as described in Annex I.
Having said this, the parties conclude the following contract:
All terms have the same meaning as under the DPA. Within the scope of application of the GDPR, they are to be understood in accordance with the GDPR.
The subject matter, nature and duration of this contract, which may include processing, are set out in the contracts concluded and in Annex 1 to this contract. This contract is concluded as an annex to the main contract and forms an integral part thereof.
The processing of personal data by the Processor always takes place in Switzerland, a member state of the European Union (EU), a member state of the European Economic Area (EEA) or another country with an adequate level of data protection.
Any transfer of personal data by the Processor to a country without an adequate level of data protection is only permitted with the written consent of the Controller.
When obtaining consent, the Processor shall provide the Controller with proof of the existence of guarantees and an appropriate level of protection.
The Processor shall take appropriate technical and organisational measures to ensure data security appropriate to the risk. The Processor shall ensure compliance with the technical and organisational measures specified in Annex 2 to this Agreement. These must have been implemented by the processor before the start of processing.
The technical and organisational measures to be implemented are data security measures and measures to ensure a level of protection appropriate to the risk in order to ensure the confidentiality, integrity, availability and traceability of the data. The state of the art, the implementation costs, the type of data processed and the purpose, type, scope and circumstances of the processing as well as the varying probability of occurrence and severity of the risk to the personality or fundamental rights of the data subject must be taken into account. The measures must make it possible to avoid breaches of data security.
The processor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its organisational area of responsibility is carried out in accordance with the requirements of the applicable data protection provisions and that the rights of the data subjects are protected.
The technical and organisational measures are dependent on technical progress and its further development. In this respect, the processor is permitted to implement alternative adequate measures. In doing so, the security level of the measures specified in this contract may not be undercut. Changes must be recorded in writing or by e-mail.
Upon request, the Processor shall provide the Controller with evidence of the technical and organisational measures it has taken.
The Controller shall independently take appropriate technical and organisational measures to protect personal data in its area of responsibility (e.g. on its own systems, buildings, applications/environments under its operational responsibility).
6.1 Bound by instructions
The Processor shall process personal data exclusively in accordance with the provisions of this contract, any related contract and the Controller's further instructions. The Processor must confirm verbal instructions immediately in writing or by e-mail. Significant adjustments to the co-operation must be agreed between the parties in writing.
The Processor shall inform the Controller immediately if it is of the opinion that an instruction violates the law applicable to it, unless it is legally prohibited from doing so due to an important public interest. In this case, the Processor may suspend the implementation of the instruction until its legality has been ensured.
The parties shall communicate with each other through authorised persons who have a certain authority to issue instructions as listed in Appendix 1 of this contract. In the event of a change or long-term absence of the authorised persons, the other party must be informed immediately of any successors or representatives.
6.2 Information and support obligations
If the Processor is unable to fulfil its obligations under this contract for any reason whatsoever or if this is foreseeable, it undertakes to inform the Controller immediately.
Furthermore, the Processor shall promptly inform the Controller of any request or notification from a governmental, regulatory, supervisory or other authority, unless the Processor is legally prohibited from informing the Controller.
In addition, the Processor undertakes in particular to provide the Controller with timely and appropriate support to the best of its ability in complying with the applicable data protection provisions, in particular also in the area of the security of personal data, the creation and updating of the list of processing activities, the data protection impact assessments or the prior consultation of the Federal Data Protection and Information Commissioner or another supervisory authority.
If the Controller is subject to an inspection by the Federal Data Protection and Information Commissioner (EDÖB), administrative offence or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the processing of the order by the Processor, the Processor shall provide the Controller with appropriate support to the best of its ability.
6.3 Obligations in connection with the rights of data subjects
If a data subject asserts their rights directly with the Processor (or a Sub-processor), the Processor must forward this request or enquiry to the Controller without delay, without responding to it in terms of content.
The Processor (and any sub-Processor) undertakes to co-operate fully and promptly with the Controller and to provide the necessary support services in the fulfilment of requests or enquiries from data subjects.
At the Controller's request, the Processor shall in particular correct, restrict (e.g. block) or delete the personal data.
6.4 Reporting breaches of data security
The Processor must inform the Controller immediately (max. 48h) of all cases in which the Processor, persons employed by it or Sub-processor have violated data security requirements or any other provisions of this contract. The same applies to serious operational errors or irregularities in the processing of personal data. There is also an obligation to notify in the event of the loss or unlawful disclosure of personal data or accidental or unauthorised access to such data by unauthorised third parties. Reasonable suspicions of this must also be reported.
The Processor undertakes to support the Controller to the extent necessary in connection with a breach of data security in its obligations under the applicable data protection provisions. In particular, the Processor undertakes to take appropriate measures to protect the personal data and to prevent or limit any adverse effects on the data subjects.
6.5 Confidentiality
The Processor shall take the appropriate measures to ensure that only the natural persons acting under the authority of the Processor or the latter’s Sub-processor and who need access to the Personal Data are given access to that data, and only to the extent required for the Processing Operations.
The Processor shall be subject to any official, professional, business, manufacturing and banking secrecy obligations applicable to the Controller as well as other statutory and contractual confidentiality obligations. It shall keep the processing of personal data confidential. The Processor may only make personal data accessible to third parties, pass it on, disclose it or provide information about it with the prior written consent of the Controller. Authorised Sub-processor are not deemed to be third parties, and statutory disclosure obligations are reserved.
The Processor shall impose a duty of confidentiality on all persons who have access to personal data within the scope of this contract or who could gain access to such data, unless they are already subject to an appropriate statutory or contractual duty of confidentiality.
The obligation to maintain confidentiality shall also apply beyond the termination of this contract.
6.6 Subcontracting
When processing personal data, the Processor may use the Sub-processor named in Appendix 3 of this contract for the services specified in each case.
Where a Sub-processor is used, the Processor shall impose on it the same obligations as those arising from this contract and shall ensure that the Sub-processor can fulfil these obligations.
In relation to the Sub-processor, the Processor shall grant the Controller the right to monitor and inspect the Sub-processor in accordance with this Agreement and to demand all obligations set out in this Agreement from the Sub-processor. This includes the Controller's right to request appropriate information from the Sub-processor or Processor regarding the content of the contract and the implementation of the requirements of the applicable data protection provisions.
The Processor shall inform the Controller of its intention to appoint a new Sub-processor and the Controller shall have the right to object to the appointment of a new Sub-processor within 30 days in writing or by e-mail to the Processor. Authorised Sub-processor shall not be deemed to be third parties and statutory disclosure obligations shall be reserved. In any case, the addition (or removal) of a Sub-processors hall not adversely affect the security level of the contract. The Controller may revoke its consent to subcontracting for good cause, in particular in the event of a breach of law or contract. The subcontracting must then be stopped immediately.
In the event that the Processor engages a Sub-processor despite the Controller's lack of consent, the Controller shall be entitled to extraordinary and immediate cancellation of this contract.
The Processor shall be fully liable to the Controller for the fulfilment of the Sub-processor's obligations.
Further subcontracting by the Sub-processor is not permitted.
If the Sub-processor fails to fulfil its obligations under data protection law arising from such a contract, the Processor shall remain responsible to the Controller for the fulfilment of the Sub-processor's obligations.
6.7 USE OF EUROPEAN UNION STANDARD CONTRACTUAL CLAUSES
To avoid each of the Client's Affiliates, required to export data, being required to sign separate bilateral contracts with the Supplier, the data importer, this DPA entered into by the Client in its own name and on behalf of its Affiliates is considered to constitute a contract between each of the Client's Affiliates (each of them exporting data) and the Supplier, the data importer, in accordance with the terms of this DPA.
The Parties agree that for any transfer of personal data by one or more Affiliates of the Client, as data exporter, to the Supplier, as data importer, that would be prohibited by the Data Protection Directive in the absence of Standard Contractual Clauses, the transfer in question shall be subject to the terms of the Standard Contractual Clauses.
This Agreement also applies to transfers of personal data by non-European Affiliates of the Client (data exporters) if, and to the extent that, the Standard Contractual Clauses are sufficient to meet the relevant local requirements.
For the avoidance of doubt, a transfer of personal data will be deemed to have taken place if the Supplier accesses the personal data of any Affiliate of the Client by any means, including, but not limited to, electronic means, even if the physical location of the data remains unchanged and the Supplier does not hold such personal data.
The Parties agree that the Client may occasionally modify the list of data exporters, in particular by adding or removing one of its Affiliates, ensuring that the Supplier is informed.
The Client may claim, in the name and on behalf of its Affiliates, to enforce this Contract. The Client undertakes to make reasonable commercial efforts to ensure that any claim involving one of its Affiliates under this Contract against the Supplier is assigned by the Affiliate concerned to the Client, and the Client accepts that said claim is assigned to it.
The Controller have the right to monitor the Processor's compliance with the applicable data protection provisions and/or this contract to an appropriate and necessary extent itself or through third parties commissioned by the Controller, in particular by obtaining information and inspecting the processed/stored data and the data processing systems and programs used, as well as through other on-site inspections data processed/stored and in the data processing systems and programs used, as well as through other checks and inspections on site.
The persons entrusted with the inspection shall be granted access and inspection by the Processor to the extent necessary. The Processor shall be obliged to provide the necessary information, demonstrate processes and provide evidence insofar as this is necessary for the performance of the inspection.
The Controller may commission a suitably qualified external auditor, who is subject to the obligation of confidentiality, to check whether the Processor complies with the provisions of this Agreement and the applicable data protection provisions and/or whether the statements made by the Processor in accordance with this Agreement are true and complete.
In any case, the principle of proportionality must be observed in the context of such audits, and the Processor's interests worthy of protection (in particular the right to confidentiality) must also be taken into account appropriately.
Checks at the Processor's premises must be carried out without avoidable disruption to business operations, except in urgent cases, after reasonable advance notice and during the processor's business hours.
The Processor shall be liable for the faithful and careful execution of its order and guarantees that its services comply with the contractual conditions and specifications as well as the current state of science and technology. It shall be liable for any damage caused by its employees in the performance of their duties.
Processor shall only be liable for damage caused by processing in accordance with this contract if they have failed to fulfil their obligations under data protection law or if they have failed to comply with the lawful instructions of the Controller.
The Processor shall be liable for direct damage caused to the Controller in connection with the fulfilment of the service. The liability obligation shall not apply if the Processor can prove a lack of fault.
The Processor shall be liable to the Controller for any damage caused by the Processor, its employees or the Sub-processor commissioned by it to perform the contract in connection with the provision of the commissioned contractual service in breach of their obligations.
The contract shall enter into force upon signature by both parties. The duration of this contract (term) corresponds to the term of the main contract, but in any case lasts as long as the Processor processes the Controller's personal data (including backups). Cancellation for good cause remains reserved.
Upon termination of this Agreement, the Processor (and, if applicable, the Sub-processor) shall, at the Controller's option, return to the Controller all Personal Data provided in a machine-readable format of the Controller's choice, including the data carriers supplied, and provide the Controller with copies thereof, or delete all Personal Data, including copies thereof, and certify to the Controller that it has done so, unless the Processor is prevented by law from returning or destroying all or part of the Personal Data provided. In this case, the Processor guarantees that it will ensure the confidentiality of the personal data transmitted for an indefinite period of time and that it will no longer actively process the personal data transmitted.
The Processor is obliged to ensure that the Sub-processor also returns or cancels the data without delay.
The Controller has the right to check that the data is returned to the Processor in full and in accordance with the contract and/or deleted.
Insofar as no special provision has been made in this contract, the provisions of the main contract shall apply, in particular with regard to confidentiality, liability, applicable law, place of jurisdiction and cancellation provisions.