Order processing agreement (AVV)
- This Agreement governs the rights and obligations of the Principal and the Contractor Netstream (hereinafter jointly the "Parties") in connection with the commissioned processing or commissioned processing (hereinafter uniformly the "Commissioned Processing") of personal data or personal data (hereinafter uniformly the "Personal Data").
- This Agreement shall apply to all activities in which the Contractor processesor has processedor has processed(hereinafter uniformly referred to as "Processing") personal data in whole or in part on behalf of the Client.
- The Contractor is subject to Swiss data protection law, in particular in accordance with the applicable Federal Data Protection Act (DPA). The European Commission has determined by decision of 26 July 2000 that Swiss data protection law ensures an adequate level of protection for personal data. The determination is deemed to be an adequacy decision pursuant to Article 45 (1) of the European Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR).
- With this contract, the Contractor enables compliance with the applicable data protection law requirements for commissioned processing, in particular pursuant to Art. 10a DSG or pursuant to Art. 9 of the new Swiss Federal Data Protection Act (nDSG, not yet in force) and pursuant to Art. 28 DSGVO.
- This contract is based on the European Commission's Implementing Decision of June 4, 2021 on standard contractual clauses between controllers and processors.
2. nature, subject matter and purpose of the commissioned processing
- The commissioned processing shall be carried out in accordance with existing or yet to be concluded contractual agreements between the parties. The provisions of this Agreement shall prevail in the event of a conflict between the provisions of this Agreement and other contractual agreements between the Parties.
- Commissioned processing includes any handling of personal data, regardless of the means and procedures used, in particular the archiving, storage, disclosure, procurement, deletion, storage, modification, destruction and use of personal data. Personal data is any information relating to an identified or identifiable person.
- For commissioned processing, the categories of personal data that are processed and the categories of data subjects whose personal data are processed result from the contractual agreements pursuant to marg. no. 6.
- The commissioned processing of particularly sensitive personal data or special categories of personal data is excluded. Personal data requiring special protection includes data relating to trade union, political, religious or ideological views or activities, data relating to health, privacy, sex life, sexual orientation or membership of an ethnic or racial group, data relating to social assistance measures, data relating to administrative or criminal prosecutions or sanctions, biometric data that uniquely identify a natural person and genetic data.
3. obligations of the parties
- The Contractor shall process Personal Data for an indefinite period of time until termination of this Agreement or the last contractual agreement between the Parties concerning commissioned processing.
- The Contractor shall process personal data exclusively as contractually agreed or in accordance with documented instructions from the Client, unless the Contractor is legally or regulatory obligated to perform a certain processing. In such a case, the Contractor shall inform the Client of this legal or regulatory obligation, unless such information is prohibited for legal reasons.
- The Client may issue further documented instructions throughout the duration of the commissioned processing.
- The Contractor shall inform the Client immediately if it is of the opinion that contractual agreements or issued instructions violate applicable data protection requirements, in particular pursuant to the DSG or nDSG and pursuant to the DSGVO.
- The Contractor shall process Personal Data exclusively for the purpose(s) pursuant to the contractual agreements between the parties (margin no. 6), provided that the Contractor does not receive any further documented instructions from the Client.
- The Contractor shall take at least the technical and organizational measures (TOM) as published at https://netstream.ch/tom/ to ensure the security of the Personal Data processed. These measures include, in particular, the protection of the Processed Personal Data against a breach of security that leads, in each case unintentionally or unlawfully, to the unauthorized disclosure of Personal Data or unauthorized access to Personal Data or to the alteration, loss or destruction of Personal Data (hereinafter collectively the "Data Security Breaches").
- The Contractor shall only grant its personnel access to personal data to the extent that this is absolutely necessary for the implementation, monitoring and administration of this contract. The Contractor shall ensure that the persons authorized to perform the commissioned processing have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
5. documentation and testing possibilities
- The parties must be able to demonstrate compliance with this Agreement.
- The Contractor shall process requests from the Client for commissioned processing in accordance with this Agreement in a reasonable manner and without delay.
- The Contractor shall provide the Client with all information necessary to prove compliance with the requirements set forth in this Agreement and arising directly from the applicable provisions of data protection law.
- Upon request, the Contractor shall enable the Client to audit the commissioned processing pursuant to this Agreement at reasonable intervals or in the event of documented indications of non-compliance and shall contribute to such audit.
- The contracting agency may conduct an audit itself or have it conducted by an independent auditor. Such audits shall be limited to one day per calendar year. An audit may also include inspections of the Contractor's physical facilities or premises, provided that such inspections are necessary, take place during normal business hours without disrupting operations, and are notified with reasonable advance notice. Such inspections are otherwise only permissible if and to the extent that the inspection cannot be performed by means of suitable evidence such as certificates or certifications, in particular in the case of data centers.
- The client shall bear the contractor's costs for audits in accordance with margin no. 2021.
- The Parties shall make available to a competent supervisory authority or authorities the information referred to in this Clause 5, including results of audits, upon request, unless such provision is prohibited by law.
6. subcontract processing
- The Customer shall grant the Contractor general approval for the commissioning of subcontracted processors that are included in the list according to the publication at https://netstream.ch/unterauftragsverarbeitung/.
- The Contractor shall inform the Client at least 14 days in advance in electronic or written form of any intended changes to this list by replacing or adding subcontracted processors. The Contractor shall thus allow the Client sufficient time to raise any objections to the intended changes prior to the commissioning. The Contractor shall provide the Client with the necessary information to enable the Client to exercise its right of objection.
- If no objection is made within the time limit, the intended changes shall be deemed approved. If, in the event of an objection, no amicable clarification between the parties regarding the planned changes is possible and the Client is not prepared to waive its objection, the parties shall be entitled to terminate this Agreement extraordinarily as of the date of the planned changes.
- The Contractor shall contractually impose substantially the same obligations on sub-processors engaged to perform the commissioned processing as those applicable to the Contractor under this Agreement. The Contractor shall ensure that each Sub-Processor complies with the obligations to which the Contractor is subject under this Agreement and under applicable data protection law requirements.
- The Contractor shall be liable vis-à-vis the Client for ensuring that a sub-processor fulfills its obligations in accordance with the sub-processing agreement concluded with the Contractor. The Contractor shall inform the Client if a sub-processor does not fulfill its contractual obligations.
7. export of personal data
- Any export of personal data to a country outside Switzerland and the member states of the European Economic Area (EEA) or to an international organization shall take place exclusively as contractually agreed or in accordance with documented instructions from the Client, unless the Contractor is legally obligated to export a specific data. In such a case, the Contractor shall inform the Client of this legal obligation, unless such information is prohibited for legal reasons.
- Any export of personal data to a country outside of Switzerland and the member states of the EEA will in principle only take place if the data protection law in the respective country ensures an adequate level of protection for personal data from a Swiss and European perspective, according to both the Federal Data Protection and Information Commissioner (FDPIC) and the Swiss Federal Council as well as the European Commission.
- The export of Personal Data to a country outside Switzerland and the Member States of the EEA whose data protection law does not ensure an adequate level of protection of Personal Data may exceptionally take place if for other reasons an adequate level of protection is ensured in accordance with the applicable data protection law requirements, in particular in accordance with intergovernmental agreements or on the basis of applicable standard contractual clauses issued by the European Commission. The Contractor is entitled to adapt and supplement such European standard contractual clauses in accordance with recommendations of the FDPIC in such a way that the standard contractual clauses also comply with the applicable data protection law requirements in Switzerland and are thus suitable for ensuring an adequate level of data protection when exporting data from Switzerland.
8. support of the client
- The Contractor shall inform the Client without undue delay of any request it has received from a data subject and which relates to the commissioned processing. The Contractor shall be entitled to acknowledge receipt to the data subject, but shall not otherwise respond to the request itself, unless it has been authorized to do so by the Client.
- The Contractor shall support the Client, taking into account the nature of the commissioned processing, in fulfilling its obligation to respond to requests from data subjects to exercise their rights. In providing this support, the Contractor shall follow the instructions of the Client.
- Apart from the support pursuant to margin no. 3233, the Contractor shall further support the Client in complying with the following obligations, taking into account the nature of the commissioned processing and the information available to it:
- Maintenance of any register of processing activities;
- Conducting a data protection impact assessment if a planned processing of personal data by the client is likely to result in a high risk to the fundamental rights or personality of the data subjects;
- Consultation of the competent supervisory authority(ies) prior to the processing of personal data if a data protection impact assessment shows that the planned processing entails a high risk to the fundamental rights or personality of the data subjects despite the measures envisaged;
- Ensuring that the personal data processed is factually correct and up to date, in that the Contractor shall inform the Client without delay if it discovers that the personal data it processes is incorrect or out of date;
- Ensuring data security commensurate with the risk, in particular by means of suitable technical and organizational measures (TOM) in accordance with Section 4.
- The Client shall bear the Contractor's costs for support pursuant to margin no. 32, margin no. 33 and margin no. 341-3.
9. notification of data security breaches
- In the event of a Data Breach, the Contractor shall cooperate with the Client and provide it with appropriate support so that the Client can fulfill its obligations to report Data Breaches to the competent supervisory authority(ies) or to notify the persons affected by Data Breaches, taking into account the nature of the commissioned processing and the information available to it.
9.1 Violations of the security of personal data processed by the Client
- In the event of a breach of data security in connection with the personal data processed by the Client, the Contractor shall support the Client as follows:
- In notifying the competent supervisory authority(ies) of the Data Breach without undue delay after the Principal becomes aware of the Data Breach, if relevant (unless the Data Breach is unlikely to result in a high risk to the fundamental rights or privacy of the Data Subjects), and, in each case, as soon as available, in obtaining the information that must be included in the notification in accordance with applicable data protection law requirements.
- In notifying data subjects affected by data breaches in accordance with applicable data protection law requirements, when necessary to protect the data subjects or when required by a competent supervisory authority.
- The Client shall bear the costs of the Contractor for the support pursuant to this Clause 1.
9.2 Violations of the security of personal data processed by the Contractor
- In the event of a breach of data security in connection with the personal data processed by the Contractor, the Contractor shall inform the Client immediately after becoming aware of the breach.
- Within the scope of this information, the Contractor shall provide the Client - in each case as soon as available - with the data that the Client requires in accordance with the applicable data protection requirements, in particular:
- Description of the nature of the breach (specifying, if possible, the categories and approximate number of individuals affected and the approximate number of records affected);
- Contact information for a point of contact where further information about the data breach can be obtained;
- Anticipated consequences of the data breach and measures taken or proposed to address the data breach, including measures to mitigate the potential adverse effects of the data breach.
- The Contractor shall bear the costs for the support in accordance with this Clause 2.
10. suspension of commissioned processing
- In the event that the Contractor fails to comply with its obligations under this Agreement, the Customer may instruct the Contractor to suspend the commissioned processing of Personal Data until the Contractor complies with this Agreement or this Agreement is terminated. The Contractor shall inform the Client without undue delay if, for whatever reason, it is unable to comply with this Agreement.
- The liability regulation is based on any liability regulation according to the contractual agreements between the parties (marg. no. 6).
- The client is entitled to terminate this contract extraordinarily and without notice if:
- the Client has suspended the commissioned processing pursuant to Clause 10 and compliance with this Agreement has not been restored within a reasonable period of time, but in any case within one month after the suspension;
- the Contractor substantially or persistently breaches this Agreement or fails to comply with the applicable data protection requirements;
- the Contractor fails to comply with the binding decision of a competent supervisory authority or a competent court which has as its object obligations of the Contractor in accordance with the applicable data protection requirements.
- The Contractor shall be entitled to terminate this Agreement extraordinarily and without notice if the Client insists on the fulfillment of a contractual agreement or instruction after it has been notified by the Contractor pursuant to no. 13 that the contractual agreement or instruction violates applicable data protection requirements.
- The parties are entitled to terminate this contract with a notice period of three months as of the end of the month, unless contractual agreements between the parties do not provide for a notice period or do not provide for a different notice period.
- Upon termination of this Agreement, the Contractor shall, at the option of the Client, delete all personal data processed on behalf of the Client and certify to the Client that deletion has taken place, or the Contractor shall return all personal data to the Client and delete existing copies, unless the Contractor is legally or regulatory entitled or obliged to store the personal data. Unless the Customer notifies the Contractor of its choice within four weeks of termination of this Agreement, the Contractor shall delete the Personal Data. Until the deletion or return of the personal data, the Contractor shall ensure compliance with this Agreement.
13. final provisions
- This contract is part of the Netstream GTC.
- The parties shall inform each other of any data protection advisor or any data protection officer in accordance with the applicable data protection requirements.
- The parties are obligated to treat all knowledge of business secrets of the respective other party obtained within the scope of this Agreement as well as of personal data as permanently confidential even beyond the termination of this Agreement, unless one party is legally obligated to a certain disclosure. In such a case, the obligated party shall inform the respective other party of this legal obligation, unless such information is prohibited for legal reasons. If one party is in doubt as to whether information is subject to this confidentiality obligation, the information shall be treated confidentially until expressly released by the respective other party.
- If individual provisions of this Agreement are unenforceable, invalid or ineffective, this shall not affect the enforceability, validity or effectiveness of the remaining provisions and the parties shall replace the individual provision with an enforceable, valid or effective provision that comes as close as possible to the intended data protection outcome of the individual provision.
- This contract shall be governed exclusively by Swiss law. The conflict of laws and the UN Convention on Contracts for the International Sale of Goods are excluded. The exclusive place of jurisdiction shall be at the registered office of the Contractor.