Data Processing Agreement

1. PREAMBLE AND SCOPE

This DPA forms an integral part of the Agreement between the Parties as defined in the GT&C and is an annex to the GT&C.

Unless otherwise specified herein, capitalized terms herein shall have the meaning ascribed to them in the GT&C. Legal terms used herein (e.g. "Data Subject", "Controller" etc.) shall have the meaning ascribed to them in the Applicable Data Protection Law.

The Parties have concluded one or more agreements ("Contract" or "Contracts"; see list in Sub-Annex 1) in which the Provider (the "Contractor") acts as service provider to the Customer or its customers.

The provision of the services pursuant to the Contract by the Contractor may qualify as processing of personal data within the meaning of the applicable data protection law. Insofar as the Contractor processes personal data of the Customer or its customers ("Personal Data") within the scope of the collaboration as Processor or subprocessor in compliance with the respective Applicable Data Protection Law, this DPA shall supplement the Contract and specifies the obligations of the Parties regarding data protection. For the avoidance of doubt, the Parties agree that the Customer is and shall at all times remain the Controller of the Personal Data.

The Applicable Data Protection Law is the Swiss Data Protection Act and the European General Data Protection Regulation (GDPR), if and to the extent applicable ("Applicable Data Protection Law").

2. SUBJECT, TERM, TYPE AND PURPOSE OF THE AGREEMENT

The subject of the Contract as well as the type and purpose of the processing derives from the Contract which is referenced in Sub-Annex 1.

This DPA shall come into force upon signature of the Order Form (as set out therein). The term of this DPA shall conform with the term of the Contract (or with the last active Contract in the case of several Contracts) between the Customer and the Contractor under which the Contractor shall process Personal Data for the Customer provided that no obligations beyond this arise from the provisions of this DPA. In addition, this DPA shall automatically end when the Contractor no longer processes any Personal Data for the Customer pursuant to the Contract or upon termination of the (last active) Contract.

The possibility of termination of this DPA for good cause with immediate effect shall remain reserved. Good cause shall include, in particular, a repeated or serious breach by one Party of the provisions of the Contract, this DPA or of Applicable Data Protection Law. The extraordinary right of termination pursuant to Section 10 shall also entitle to termination without notice.

If the type of processed Personal Data, the type and the purpose of the Personal Data processing as well as the categories of Data Subjects affected by the processing are not already derived from the respective Contract, they shall be listed in one or more annexes to this DPA.

3. SCOPE AND RIGHT TO ISSUE INSTRUCTIONS

The Contractor shall process Personal Data exclusively for the intended purpose in accordance with the respective Contract and the documented instructions of the Customer. 

As a rule, instructions shall be given in text form (i.e. in writing, by email or in a documented electronic format). Verbal instructions shall be confirmed immediately in writing or in a documented electronic format.

Any deviating obligations of applicable law (e.g. binding decrees of competent authorities) shall remain reserved; the Customer must be informed of these in a timely manner, provided this is legally permissible.

4. DATA SECURITY

The Contractor shall take suitable technical and organizational measures (TOM) in accordance with Sub-Annex 2 to shape, check and adjust the in-house organization on an on-going basis in its area of responsibility so that it can provide an appropriate level of data protection in accordance with Applicable Data Protection Law, including if applicable Art. 32 GDPR to protect Personal Data from accidental or unlawful destruction, loss, amendment, forwarding, etc. In the process, the Contractor shall take account of the state of the art, the implementation costs as well as the type, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the severity of the risk for the rights and freedoms of the Data Subjects.

The measures are subject to technical progress and further development. Alternative or additional measures may be implemented if the level of protection provided by the specified measures is not undercut.

5. CONFIDENTIALITY

The Contractor undertakes to treat Personal Data obtained under the Contract or this DPA as confidential and to make it available only to persons who need access to the Personal Data in order to perform their duties towards the Contractor. The Contractor shall ensure that the persons authorized to process the Personal Data are obliged to maintain confidentiality/secrecy to the extent that they are not subject to a statutory duty of confidentiality. Employees and other persons working for the Contractor who deal with relevant Personal Data shall be forbidden to process such Personal Data outside this Contract and this DPA. The confidentiality/secrecy obligation shall continue for a period of five years after termination of this DPA.

The confidentiality/secrecy obligation herein shall not limit disclosure by the Contractor if required by law, including, without limitation, if a government or Supervisory Authority demands access to Personal Data.

6. CONTACT PERSONS

The Parties shall each disclose in Sub-Annex 1 a contact person for all data protection matters; a data protection officer shall also be identified in cases where this is mandatory.

7. RIGHTS OF THE DATA SUBJECTS

If a Data Subject contacts the Contractor directly with requests for correction, deletion, information or other claims concerning Personal Data, the Contractor shall immediately inform the Customer, if assignment to the Customer is possible based on the information provided by the Data Subject.

The Contractor shall support the Customer, while taking account of the type of processing with suitable technical and organizational measures, to meet its obligation to answer enquiries from Data Subjects regarding their rights in accordance with Applicable Data Protection Law.

The Contractor's support obligations towards the Customer pursuant to this Section 7 shall be performed free of charge. The Parties may agree on a remuneration arrangement for further support services.

The Parties agree that the Customer as Controller of the Personal Data is generally responsible to answer all Data Subject requests and do so in line with Applicable Data Protection Law.

8. DATA PROTECTION BREACHES

The Contractor shall immediately inform the Customer if: 

(i) The Contractor or a subprocessor determines or suspects that a data protection breach has occurred. Such information must be delivered in accordance Applicable Data Protection Law (including type, scope, extent of the breach) so that the Customer is able to fulfil any possible reporting obligation to the competent data protection authority and/or the Data Subjects in accordance with Applicable Data Protection Law. 

(ii) The Personal Data must be passed on to a competent authority. 

(iii) An enquiry, subpoena or application to view or check the processing is received by a competent authority, unless the law prohibits the Customer from being notified.

If a data protection breach occurs on the Contractor's or on a subprocessor's premises, the Contractor shall take reasonable measures at its own cost to identify the cause of the data protection breach as well as to ensure that the Personal Data is protected and reduce the likelihood of any possible negative consequences for the Data Subjects.

The Contractor's support obligations towards the Customer pursuant to this Section 8 shall be performed free of charge. The Parties may agree on a remuneration arrangement for further support services.

 9. RETURN OR ERASURE OF PERSONAL DATA

Upon termination or expiration of the Contract, the Contractor will either return or delete the related Customer Personal Data in its possession in line with the GT&C, unless otherwise required by applicable law. The Contractor may not retain Personal Data for longer than is necessary for the fulfillment of its obligations under the Contract, provided that no legal obligation to retain Personal Data exists to the contrary. 

10. INVOLVEMENT OF SUBPROCESSORS

The Contractor shall hereby receive prior general written permission to involve subprocessors for processing of Personal Data. Insofar as the permissible subcontractors do not already result from the Contract, they shall be listed in Sub-Annex 1. The list of subprocessors shall be kept up to date on an ongoing basis.

The Contractor may add or replace subprocessors at its discretion. The Customer shall be informed in advance of any planned amendment to the list of subprocessors with a reasonable notice period. If the Customer has an objectively compelling reason in accordance with Applicable Data Protection Law, it shall be entitled, within 20 days of being notified by the Contractor, to contest the processing of Personal Data by a new subprocessor. If there is no objection within this period, the new subprocessor shall be deemed to have been accepted by the Customer. If there is an objectively compelling reason under Applicable Data Protection Law, and provided that a mutually agreeable solution cannot be found between the Parties, the Contractor shall be granted a special right to terminate the Contract and this DPA (right to terminate without notice).

The Contractor shall be obliged to conclude the necessary agreements with the subprocessor in order to ensure that the subprocessor is subject to the same obligations as those incumbent on the Contractor on the basis of the present DPA and the respective Contract. The Contractor shall be obligated to provide the Customer, upon the Customers request, with information about the essential content of the agreement and the implementation of the obligations relevant to data protection by the subprocessor.

If the subprocessor does not meet its data protection obligations, the Contractor shall be liable to the Customer for any breaches caused by the subprocessors in accordance with the provisions of this DPA. 

11. DOCUMENTATION, PROCESSING INVENTORY

Each Party shall be responsible for observing its documentation obligations, in particular the record of processing activities, insofar as this is required by Applicable Data Protection Law. Each Party shall support the other in a reasonable manner while fulfilling its documentation obligations, including the provision of information which the other Party requires from it in an appropriate format (e.g. through the use of an electronic system) so that the other Party can meet its obligations in connection with the record of processing activities.

12. DATA PROTECTION IMPACT ASSESSMENT

If the Customer is obligated to perform a data protection impact assessment or to consult a supervisory authority in advance under Applicable Data Protection Law, the Contractor shall, at the Customers request, provide free of charge those documents that are generally available for the services of the respective Contract (e.g. this DPA, the Contract, audit reports or certifications). Any additional support shall be mutually agreed between the Parties.

13. VERIFICATION OBLIGATIONS AND AUDIT RIGHTS

The Contractor shall verify its observance of the obligations specified in this DPA to the Customer by suitable means (e.g. certificates).

The Customer shall be entitled to check the compliance of the statutory or contractual obligations relating to the processing of Personal Data by means of inspections or audits, either itself or through auditors appointed by it, who shall be under strict confidentiality for the protection of the Contractor, if 

(i) the Contractor does not provide sufficient verification (e.g. certificate, audit report) of its observance of the technical and organizational measures for the protection of the systems and processing processes used;

(ii) there has been a breach of the protection of Personal Data;

(iii) a check is officially requested by a supervisory authority of the Customer; or

(iv) the Customer has a direct audit right in accordance with mandatory, Applicable Data Protection Law.

The Contractor shall be obliged to cooperate appropriately in an audit. The Parties shall agree in advance on the time, duration, and subject of the audits and on applicable security and confidentiality provisions. The audit shall be conducted in such a way that no operational processes of the Contractor are disturbed. Audits and inspections by the Customer shall be limited to a maximum of three working days per year. In no case may an audit be conducted by a competitor of the Contractor and/or the relevant subprocessor.

Each party shall bear any costs and expenses which it incurs in connection with the audit or the inspection itself. If the work takes longer than three working days, the Contractor may request remuneration from the Customer for support while carrying out an inspection or audit authorized by the Customer. 

If significant breaches of this DPA or shortcomings are detected while the Contractor is fulfilling its obligations within the scope of an audit or after presenting proof or reports, the Contractor shall immediately take suitable corrective measures at no extra cost.

14. DATA PROCESSING IN THIRD COUNTRIES

The processing of the Personal Data shall take place exclusively in Switzerland, in a member state of the European Union (EU), in another state party to the Agreement on the European Economic Area (EEA) or in a country which has an adequate level of protection according to the adequacy decision of the European Commission or the Federal Council. The processing of Personal Data outside this area is only permitted after written information has been provided to the Customer and in accordance with the applicable legal provisions. In the event that data is disclosed to a country without an adequate level of data protection, the Contractor undertakes in particular to conclude a supplementary contract with the data recipients based on the current EU standard contractual clauses (adapted to Switzerland where necessary) and to take additional appropriate legal, technical or organizational measures. 

15. LIABILITY

The Contractor shall be liable to the Customer for culpable violations of this DPA. The Contractor shall be liable for any culpable violations of its subprocessors as for its own acts. The liability of the Parties under this DPA shall be governed by the liability provisions and limitations under the Contract or, in the case of several Contracts, under the Contract concerned. Further statutory legal liability claims remain reserved.

16. FINAL PROVISIONS

Entire Agreement and contradictions

This DPA and its annexes shall govern the relationship between the Parties with regard to the contractual processing of Personal Data in its entirety and shall replace any negotiations and correspondence made prior to the conclusion of this DPA. 

In the event of contradictions between the Contract and this DPA, the DPA shall take precedence over the provisions of the Contract, if and insofar as the processing of Personal Data by the Contractor is affected within the scope of the Contract in question.

In the event of contradictions, a Sub-Annex to this Agreement shall take precedence; if there are several Sub-Annexes, the provisions of the Sub-Annexes which most recently came into force shall take precedence over contradictory provisions in an earlier annex.

16.1 Amendments

Should one of the Parties come to the conclusion that this DPA no longer meets the requirements of the Applicable Data Protection Law, the Parties shall amend this DPA in good faith by mutual agreement.

16.2 Notifications

Unless explicitly regulated otherwise, any notices required to exercise rights and obligations under this DPA shall be issued in writing, transmitted by letter or email with subsequent confirmation letter, to the address of the contracting Party specified on the Order Form or Sub-Annex 1.

16.3 Severability

If individual provisions or parts of this DPA, including its Sub-Annexes, prove to be void or ineffective, the validity of the remaining parts of the DPA shall not be affected. In such a case, the Parties shall amend this DPA in such way that the purpose of the void or ineffective part is achieved to the fullest extent as possible.

16.4 Assignment and Transfer

This DPA may only be assigned or transferred to third parties upon transfer of the Contract in accordance with the assignment and transfer clause set forth therein.

16.5 Dispute resolution

Both Parties shall attempt in good faith to reach an amicable solution to any disputes relating to this DPA.

16.6 Applicable law and place of jurisdiction

If the Parties fail to resolve differences amicably despite respective efforts, legal proceedings shall be undertaken in accordance with the provisions in the respective Contract (applicable law and place of jurisdiction).

SUB-ANNEX 1 TO THE DATA PROCESSING AGREEMENT (DPA)

 CONTRACTUAL BASIS FOR THE PROCESSING

In accordance with Section 1 of the DPA, the Parties have concluded one or more Contracts in which the Contractor acts as service provider vis-a-vis the Customer or its customers. Details on the services provided are set forth in the respective Order Form.

SCOPE, TYPE AND PURPOSE OF THE AGREEMENT IN ACCORDANCE WITH SECTION 2 OF THE DPA

2.1 Subject, Nature and Purpose of Data Processing

The subject, nature and purpose of data processing include:

The Contractor shall operate particular hardware and system software (IT systems) for the Customer within the scope of the obligations arising from the Contract. The Customer or its end customer (hereinafter "Service User") shall use its own applications. Within the scope of operating the IT systems, personal data of the Service User which it stores and processes on the applications may be accessed. However, such access by the Contractor to personal data shall only be an ancillary effect of the agreed system operation and shall not be one of the main obligations of the Contractor within the scope of the Contract.

2.2 Categories of Personal Data

The types and categories of Personal Data are derived from the following list:

As Phoenix Systems AG provides Services, where the Customer is free to run any kind of application and input any data, respectively, the data categories could include all different kind of data.

2.3 Categories of Data Subjects

The categories of Data Subjects affected are derived from the following list:

Not limited in any sense.

3. CONTACT PERSONS IN ACCORDANCE WITH SECTION 6 OF THE DPA

3.1 Contact person(s) authorized at the Customer:  

See Order Form.

3.2 Reporting relevant data protection incidents

The Contractor must report any relevant data protection incidents to the Customer without undue delay after they are detected. 

The following person(s) at the Customer must be informed within usual hours of business:

See Order Form.

3.3 Contact person(s) at the Contractor

Name and surname: Stefan Taroni

Position: COO

Address: Hardturmstrasse 103, 8005 Zürich, Switzerland

Phone: +41 44 500 86 41

Email: stefan.taroni@phoenix-systems.ch