Data Processing Agreement (DPA)
between
Customer
'Data Controller'
and
Nine Internet Solutions AG
Badenerstrasse 47
8004 Zürich
'Data Processor'
1 Aim and Scope of Application
(a) The Aim of this agreement on data processing ('DPA') is to ensure the compliance with the Federal Act on Data Protection ('FADP') and with further data protection legislation (such as the General Data Protection Regulation of the European Union), insofar as it is applicable ('Applicable Data Protection Regulations'). Individual pieces of legislation shall only be applied within the scope in which they are applicable to the respective processing task.
(b) This DPA pertains to the processing of personal data as described in appendix 1, and any terms defined in appendix 1 are deemed by this DPA as clearly defined terms.
2 Interpretation
(a) Where this agreement uses terms which are defined in Applicable Data Protection Regulations, they carry the same meaning as in these regulations.
(b) This DPA is to be read and interpreted in compliance with the requirements of Applicable Data Protection Regulations, in particular the FADP, within the scope in which these are pertinent.
(c) These terms are not to be interpreted in a manner which is contrary to the rights and requirements stipulated by Applicable Data Protection Regulations, or which curbs the fundamental rights and liberties of affected persons.
3 Hierarchy
(a) In such a case that there is a contradiction between this DPA and the stipulations made in another agreement between both parties, which is either in place when this DPA is signed or is arranged afterwards, this DPA takes precedence over such an agreement, unless an exception is explicitly stated in written form.
4 Description of Processing
(a) The processing details, particularly the categories of personal data and the purposes for which this personal data is processed on behalf of the Data Controller, are listed in Appendix 1.
5 Duties of the Agreeing Parties
5.1 General
(a) The Data Processor processes personal data only by written order given by the Data Controller, unless the Data Processor is subject to legislation which legally requires the processing of personal data. For the entire duration of personal data processing activities, the Data Controller has the right to give additional directives. Such directives must be documented at all times. The Data Controller agrees that the underlying agreement, this DPA, their updates, as well as, wherever possible, the Data Controller's technical configurations form the entire body of directives given by the Data Controller.
(b) The Data Processor informs the Data Controller at once wherever the Data Processor deems the Data Controller's directives to be in violation of the FADP or further applicable legislation.
5.2 Purpose limitation
(a) The Data Processor may process personal data solely for the processing purpose(s) listed in Appendix 1.
5.3 Erasing or Returning Data
(a) Any data processing activities conducted by the Data Processor must not exceed the duration defined in Appendix 1.
(b) Upon the cessation of services pertaining to the processing of personal data, or upon termination in accordance with Article 8, the Data Processor returns all personal data to the Controller and deletes any existing copies, unless Applicable Data Protection Regulations or other legislation stipulate the retention of this personal data.
5.4 Processing Security
(a) The Data Processor takes the technical and organisational measures (TOM) outlined in Appendix 2 to ensure the security of personal data, including the safeguarding against accidental or illegal destruction, loss, alteration, unauthorised transfer of or access to this data (personal data breach). The Data Controller is responsible for the assessment of what constitutes an appropriate level of security, in particular with regard to the risks associated with data processing, the type of personal data as well as the type, scope, circumstances and purposes of processing this data.
(b) In the case of a personal data breach pertaining to data which is processed by the Data Processor, the Data Processor notifies the Data Controller without delay, and no later than 48 hours after becoming aware of the breach. This notification must include information regarding a point of contact for further inquiries into the personal data breach, a description of the type of breach (including, wherever possible, the categories and approximate number of affected persons and data sets), its likely consequences and the measures taken or planned to litigate its possible negative repercussions. Should it not be possible to provide all information at once, the first notification includes any hitherto available information, while any further information is provided without unreasonable delay as soon as it is available.
(c) The Data Processor will act in good faith and trust to work with and support the Data Controller in any way necessary to enable the Data Controller to notify, where appropriate, the relevant data protection authorities and affected persons, while taking into account the processing type and the information available to the Data Processor.
(d) The Data Processor grants employees access to the data only insofar as it is strictly necessary for fulfilling, managing and monitoring the agreement between Data Processor and Data Controller. The Data Processor ensures that persons who are authorised to process the personal data obtained are obliged to confidentiality or are subject to an equivalent legal confidentiality obligation.
5.5 Documentation and Compliance
(a) The parties must be able to prove their compliance with this DPA.
(b) The Data Processor is obliged to immediately and duly answer any reasonable queries made by the Data Controller regarding processing within the scope of Applicable Data Protection Regulations.
(c) The Data Processor provides the Data Controller with any information necessary to prove compliance with requirements defined by and directly resulting from Applicable Data Protection Regulations, enables the Data Controller upon request to assess data and records, or to conduct audits of the processing tasks which fall under the stipulations made herein and contributes to such audits, particularly when there are signs of non-compliance.
(d) The audit can be conducted by the Data Controller, by an independent auditor on commission of and at the cost of the Data Controller, or the Data Controller can elect to accept an independent audit commissioned by the Data Processor. Should the Data Processor commission the audit, the cost of the independent auditor is carried by the Data Processor. The right of the Data Controller to auditing, access and inspection pertain solely to the records of the Data Processor (including, among others, records of data processing activities) and are not applicable to the physical premises of the Data Processor. Any assessment and information request must be limited to information necessary for the purposes of this DPA and must duly take into account the confidentiality obligations the Data Processor is subject to, as well the Data Processor's valid interest in the protection of business secrets.
(e) The Data Processor and the Data Controller will supply the information outlined in this article, including the results of any audits, to the relevant regulatory body upon request, if and insofar as this is necessary under Applicable Data Protection Regulations.
5.6 Employment of Third-party Data Processors
(a) The Data Processor has the agreement of the Data Controller to commission third-party data processors (subcontractors). A list of third-party data processors employed by the Data Processor can be found in Appendix 3. The Data Processor informs the Data Controller in writing (notification via email or another form of electronic communication is sufficient) at least 30 days before any planned changes to this list are made by adding or replacing third-party data processors, thereby giving the Data Controller the option to veto these changes before the employment of the relevant third-party data processor(s) begins. Such a veto must not be unwarranted. The parties keep the list up to date.
(b) Where the Data Processor commissions a third-party data processor to undertake certain processing activities (on behalf of the Data Controller), this is carried out in accordance with an agreement which makes the third-party data processor subject to the same duties as the Data Processor under Applicable Data Protection Legislation. The Data Processor ensures that any third-party data processor complies with the same obligations to which the Data Processor is bound by this DPA and Applicable Data Protection Legislation.
(c) The Data Processor remains accountable to the Data Controller for the fulfilment of obligations on the side of the third party data processor arising from the agreement between the Data Processor and the third party. The Data Processor informs the Data Controller, should the third-party data processor not fulfil the obligations set out in this agreement.
5.7 International Transfers
(a) Any transfer of data to a 'Third Country' (any country outside Switzerland) or to an international organisation undertaken by the Data Processor is only authorised if it complies with Applicable Data Protection Regulations. Standard contractual clauses might need to be added and a data protection impact assessment might need to be conducted, which would create the necessity to add further requirements.
(b) In cases where the Data Processor has commissioned a third party to take on certain processing activities (on behalf of the Data Controller) as stipulated in clause 5.6 in a Third Country and these processing activities include the transfer of personal data, the Data Controller agrees that the Data Processor and the third-party data processor use standard contractual clauses regarding data protection to fulfil the requirements set out by Applicable Data Protection Regulations, provided that the conditions for the use of such clauses are met.
6 Rights of Affected Persons
(a) The Data Processor informs the Data Controller immediately about any requests made directly by an affected person. The Data Processor does not respond to this request unless authorised by the Data Controller to do so.
(b) The Data Processor supports the Data Controller in fulfilling the Data Controller's data protection duties under Applicable Data Protection Regulations to respond to the requests made by the affected person in accordance with the person's rights. This includes in particular support in information, correction and data transfer requests.
(c) In addition to the Data Processor's obligation to support the Data Controller as stipulated in article 6 (b), the Data Processor supports the Data Controller in fulfilling the following requirements, while taking into account the processing type and the information available to the Data Processor:
(1) The obligation to immediately notify any affected persons
of a personal data breach, where this notification
is necessary according to Applicable Data Protection Regulations;
(2) The obligation to assess the impact of planned data processing activities
on the protection of personal data ('Data Protection Impact Assessment'),
where the data processing type likely carries
a high risk for the rights and liberties of natural persons;
(3) The obligation to consult the relevant regulatory body before data processing
in case a Data Protection Impact Assessment shows that the processing activity
would carry a high risk if the Data Controller did not take measures to litigate this risk.
(d) In Appendix 2, the contractual parties define the appropriate Technical and Organisational Measures (TOM) with which the Data Processor is obliged to support the Data Controller in fulfilling this clause, as well as the scope and extent of the necessary support.
7 Notification of a Personal Data Breach
(a) In the case of a personal data breach, the Data Processor will act in good faith and trust to work with and support the Data Controller in any suitable way in fulfilling the Data Controller's obligation to undertake a Data Protection Impact Assessment, while taking into account the type of processing and the information available to the Data Processor.
(b) The Data Processor supports the Data Controller in notifying the relevant regulatory body of the personal data breach. The Data Processor is obliged to help procure particularly the following information, which is to be included in the Data Controller's notification according to Applicable Data Protection Regulations. This information principally constitutes:
(1) The nature of the personal data including, wherever possible,
the categories and approximate number of affected persons as well as
the categories and approximate number of personal data sets;
(2) The likely consequences of the personal data breach;
(3) The measures taken or planned by the Data Controller to remedy
the personal data breach, including, where applicable,
measures to litigate possible negative consequences.
8 Termination
(a) The Data Controller has the right to terminate this DPA as well as the underlying agreement if:
(1) The Data Processor violates to a significant degree
or permanently the applicable data protection laws (in particular the FADP)
or the Data Processor's obligations according to the Applicable Data Protection Regulations,
and the violation is not expected to be remedied;
(2) The Data Processor does not comply with a legally binding ruling
made by a relevant court or a relevant regulatory body regarding
the Data Processor's obligations in accordance with Applicable Data Protection Regulations.
(b) This DPA remains comprehensively in place as long as the contractual relationship entered by both parties is in place.
9 Liability and Indemnity
(a) The liability stipulations of the underlying agreement are applicable.
(b) The Data Controller must reimburse the Data Processor in full for expenses arising from any services within the scope of the aforementioned support obligations (Art. 5.5, 6 et seqq.). These services are payable at the Data Processor's standard hourly rates.
10 Jurisdiction and Applicable Law
The place of jurisdiction is the place of business of the Data Processor. Swiss substantive law is applicable.
11 Other Matters
Where no stipulation is made herein, the contractual clauses of the underlying agreement are applicable.
Appendix 1
| Processing Purpose | Processing of personal data on behalf of the Data Controller based on a variety of service agreements (the 'underlying agreement') |
| Processing Duration | As long as underlying agreements with the customer are in place |
| Categories of Affected Persons* | Customers, employees, suppliers |
| Categories of Personal Data* | Date of birth/age, contact information (email, phone no.), home address, IP address, name, nationality and passport/ID. Personal data which requires added protection (Special Category Data) may also be processed. |
| Storage and Processing Location | The Data Processor's business address and the business address of agreed third-party data processors, as well as respective data centres, as outlined in this DPA |
| On-site Audits | No |
* Categories of Personal Data as well as of Affected Persons are defined by the Data Controller without the assistance of the Data Processor. The list is purely exemplary.
Appendix 2
A description of the technical and organisational security measures implemented by the Data Processor(s) can be found here:
https://docs.nine.ch/docs/legal-documents/technical-and-organizational-measures-toms
Appendix 3
The following third-party data processors are called on for rendering data processing services:
| Service Provider | Processing location | Service Rendered | Solely Applies to the Following Products |
|---|---|---|---|
| Google Cloud EMEA Ltd, Ireland | Switzerland | Cloud Services (GCP) | Managed GKE |
| Nine Internet Solutions Ltd | Canada | Emergency support and maintenance activities | All products |
| Cloudflare, Inc., United States | Worldwide | CDN, DDoS Protection | Cloudflare |
| Zadara Ltd, Israel | Switzerland | Software | S3 Storage |
| Wittwer IT Services, Switzerland | Switzerland | Email services |