Order processing agreement

1. Contracting parties

Contract for the processing of personal data on behalf of a controller.

In accordance with the contract between

- Client -

and

- Contractor -

‍

2. Scope of the assignment

The contractor processes the client's data on behalf of and in accordance with the client's instructions (order processing). The client remains the responsible body within the meaning of data protection law.

The processing of the client's data by the contractor shall be carried out in the manner, to the extent, and for the purposes specified in Appendix 1 to this contract; the processing concerns the types of personal data and categories of data subjects specified therein. The duration of the processing corresponds to the term of the agreed offer.

The contractor is entitled to anonymize or aggregate the client's data so that it is no longer possible to identify individual data subjects, and to use it in this form for the purposes of needs-based design, further development, and optimization, as well as for the provision of the service agreed upon in the offer. The parties agree that client data anonymized or aggregated in the aforementioned manner no longer constitutes client data within the meaning of this contract.

The contractor may process and use the client's data for its own purposes within the scope of data protection law and on its own responsibility if this is permitted by a statutory permission provision or a declaration of consent from the data subject. This contract does not apply to such data processing.

‍

3. Client's authority to issue instructions

The contractor shall process the client's data in accordance with the client's instructions, unless the contractor is legally obliged to process it differently. In the latter case, the contractor shall inform the client of these legal requirements prior to processing, unless the law in question prohibits such information on the grounds of an important public interest. It should be noted that, on the client's side, in addition to the owner or legal representative, the data protection officer, if one has been appointed, also has the authority to issue instructions.

The client's instructions are generally set out and documented in the provisions of this contract. Individual instructions that deviate from the provisions of this contract or impose additional requirements require the prior consent of the contractor and shall be carried out in accordance with the change procedure specified in the offer, in which the instruction must be documented and the client must agree to bear any additional costs incurred by the contractor as a result.

The contractor guarantees that it will process the client's data in accordance with the client's instructions. If, in the contractor's opinion, an instruction from the client violates this contract or applicable data protection law, the contractor is entitled, after informing the client in advance, to suspend the execution of the instruction until the client confirms the instruction. The parties agree that the client bears sole responsibility for the processing of client data in accordance with the instructions.

‍

4. Responsibility of the client

The client bears sole responsibility for the legality of the processing of client data and for safeguarding the rights of the data subjects in the relationship between the parties. Should third parties assert claims against the contractor due to the processing of client data within the scope of this contract, the client shall indemnify the contractor against these claims upon first request.

The client is obliged to provide the contractor with the client data in good time for the provision of services and is responsible for the quality of the client data. The client is obliged to inform the contractor immediately and comprehensively if, when checking the contractor's order results, it discovers errors or irregularities with regard to data protection regulations or its instructions.

The client must provide the contractor with all information upon request, insofar as the contractor does not already have it.

If the contractor is obliged to provide information about the processing of the client's data to an authority or person or to cooperate with them in any other way, the client is obliged to support the contractor upon first request in providing the information or fulfilling other obligations to cooperate.

The client is obliged to make payment in accordance with the contract and the General Terms and Conditions. Additional services not agreed upon will be charged at an hourly rate of CHF 150.

‍

5. Requirements for personnel

The contractor shall require all persons who process client data to maintain confidentiality with regard to the processing of client data.

‍

6. Security of processing

The contractor shall take the necessary and appropriate technical and organizational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of processing the client data, as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of security appropriate to the risk.

The contractor is entitled to change or adapt the technical and organizational measures during the term of the contract, provided that they continue to comply with legal requirements.

‍

7. Use of additional processors

The client hereby grants the contractor general permission to commission additional subcontractors in Switzerland or abroad to process client data. Contractual relationships with service providers whose services involve the testing or maintenance of data processing procedures or systems by other parties or other ancillary services are generally not subject to approval, even if access to client data cannot be ruled out, provided that the contractor takes appropriate precautions to protect the confidentiality of the client data.

The contractor shall inform the client of any intended changes with regard to the involvement or replacement of further subcontractors. The client has the right to object to the commissioning of a potential further processor in individual cases. The client may only object to the commissioning for good cause, which must be proven to the contractor. If the client does not object within 14 days of receiving the notification, its right of objection for the order in question expires. If the client objects, the contractor is entitled to terminate the main contract and this contract with a notice period of 3 months.

The contract between the contractor and the sub-processor must impose the same obligations on the sub-processor as those imposed on the contractor by this contract. The parties agree that this requirement is met if the contract provides for a level of protection equivalent to that provided by this contract or if obligations are imposed on the sub-processor.

Under the conditions set out in section 2.5 of this contract, the provisions of this section 7 shall also apply if another processor is engaged in a third country. The client hereby authorizes the contractor to conclude a contract on behalf of the client with another processor for the transfer of personal data to processors in third countries. The client agrees to cooperate to the extent necessary to fulfill the requirements.

Data processing takes place primarily at the contractor's location in Switzerland. Through cooperation with sub-processors or employees in nearshoring, data may also be processed by them and outside Switzerland. If data processing is carried out abroad, this is done on the basis of the adequacy decision in accordance with the Annex to the Data Protection Ordinance (DSV), on the basis of the standard data protection clauses (EU-SCC) approved by the Federal Data Protection and Information Commissioner (EDÖB/FDPIC)), or on the basis of binding internal data protection regulations.

‍

8. Rights of data subjects

The contractor shall support the client within reasonable limits by taking technical and organizational measures to fulfill its obligation to respond to requests for the exercise of data subjects' rights.

If a data subject submits a request to exercise their rights directly to the contractor, the contractor shall forward this request to the client without delay.

The contractor shall provide the client with information about the client's stored data, the recipients to whom the contractor transmits the client's data in accordance with the contract, and the purpose of storage, insofar as the client does not have this information itself or cannot obtain it.

The contractor shall, within the scope of what is reasonable and necessary, enable the client to correct, delete, or restrict the further processing of the client data in return for reimbursement of the expenses and costs demonstrably incurred by the contractor as a result, or, at the client's request, shall itself correct, block, or restrict the further processing if and to the extent that this is not possible for the client itself.

Insofar as the data subject has a right to data portability with regard to the client data pursuant to Art. 20 GDPR, the contractor shall, within the scope of what is reasonable and necessary, support the client in providing the client data in a common and machine-readable format in return for reimbursement of the expenses and costs incurred and proven by the contractor, if the client cannot obtain the data elsewhere.

‍

9. Contractor's notification and support obligations

Insofar as the client is subject to a statutory reporting or notification obligation due to a breach of the protection of the client's data, the contractor shall immediately inform the client of any reportable events within its area of responsibility. Upon request, the contractor shall support the client in fulfilling its reporting and notification obligations to the extent reasonable and necessary, in return for reimbursement of the contractor's proven expenses and costs incurred as a result.

The contractor shall support the client within the scope of what is reasonable and necessary in any data protection impact assessments to be carried out by the client and any subsequent consultations with the supervisory authorities, in return for reimbursement of the contractor's proven expenses and costs incurred as a result.

‍

10. Data deletion

The contractor shall delete the client's data upon termination of this contract, unless the contractor is legally obliged to continue storing the client's data.

Documents serving as evidence of the proper and orderly processing of the client's data in accordance with the contract may be retained by the contractor even after termination of the contract.

‍

11. Evidence and inspections

Upon request, the contractor shall provide the client with all information necessary to prove the fulfillment of its obligations under this contract and available to it.

The client is entitled to verify the contractor's compliance with the provisions of this contract, in particular the implementation of technical and organizational measures, including through inspections.

In order to carry out audits in accordance with Section 11.2, the client shall have the right, after giving timely notice in accordance with Section 11.5, at its own expense, without disrupting operations and under strict confidentiality of the contractor's trade and business secrets, to enter the contractor's business premises where the client's data is processed during normal business hours (Monday to Friday from 10:00 a.m. to 6:00 p.m.).

The contractor is entitled, at its own discretion and taking into account the client's legal obligations, not to disclose information that is sensitive in relation to the contractor's business activities or whose disclosure would enable the contractor to violate legal or other contractual provisions. The client has no right to access data or information about other customers of the contractor, cost information, quality control and contract management reports, or other confidential data of the contractor that is not directly relevant to the agreed audit purposes.

The client must inform the contractor in good time (usually at least two weeks in advance) of all circumstances that are relevant to the performance of the audit. The client is entitled to carry out one audit per calendar year. Further audits shall be carried out against reimbursement of costs and after consultation with the contractor.

If the client commissions a third party to carry out the audit, the client shall oblige the third party in writing in the same way as the client is obliged to the contractor under this section 11 of this contract. In addition, the client shall oblige the third party to maintain confidentiality and secrecy, unless the third party is subject to a professional duty of confidentiality. At the contractor's request, the client shall immediately submit to the contractor the commitment agreements made with the third party. The client may not commission any competitor of the contractor to carry out the audit.

Proof of compliance with the obligations under this contract may, at the contractor's discretion, be provided by submitting a suitable current attestation or report from an independent body (e.g., auditor, audit, data protection officer, IT security department, data protection or quality auditors) or a suitable certification by IT security or data protection audit - e.g. according to BSI basic protection - (“audit report”) if the audit report enables the client to satisfy itself of compliance with the contractual obligations in a suitable manner.

‍

12. Contract term and termination

The term and termination of this contract are governed by the provisions on term and termination defined in the offer.

‍

13. Liability

The contractor's liability under this contract is subject to the exclusions and limitations of liability set out in the general terms and conditions. If third parties assert claims against the contractor that are based on a culpable breach of this contract or one of its obligations as the data protection controller by the client, the client shall indemnify the contractor against these claims upon first request.

The client undertakes to indemnify the contractor upon first request against any fines imposed on the contractor to the extent that the client is partly to blame for the violation punished by the fine.

‍

14. Final provisions

Should individual provisions of this contract be or become invalid or contain a loophole, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision, taking into account the requirements.

In the event of contradictions between this contract and other agreements between the parties, in particular the approved offer, the provisions of this contract shall take precedence.