According to Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter, “GDPR”), this Data Protection Addendum is
Between
[NAME], with registered office in [ADDRESS] and hereafter referred to as the “Customer”
And
ORCA AG., with the registered office in Zurich, Baeckerstrasse 26, and hereafter referred to as the “Provider”.
The Customer and Provider are together referred to as “Parties” in this Agreement.
WHEREAS
- The Parties concluded an Agreement concerning the provision of cloud services and software licensing (hereinafter also referred to as the “Agreement”), as well explained in detail in the Agreement;
- in the execution of the Agreement, the Provider accesses the Customer’s data established in the Privacy Policy;
- the Provider shall collect and process data acquired and / or received during the performance of the Agreement mainly through electronic means and for purposes related to the fulfilment of the obligations undertaken upon the signing of the Agreement;
- Provider shall only process Customer Personal Data on Customer’s documented instructions, including as set out under this Agreement unless Applicable Laws otherwise require processing. If Provider engages in processing based upon legal requirements, Provider shall, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before such processing of Personal Data.
CONSIDERING THAT
the Provider meets the requirements of experience, professionality, and reliability concerning the protection of personal data and it provides adequate and reasonable guarantees regarding the implementation of appropriate technical and organisational measures to ensure that the processing complies with the GDPR requirements and safeguards the rights of data subjects;
THEREFORE, THE PARTIES AGREE AS FOLLOWS
The Provider accepts the responsibility of handling operations of the data acquired and / or received in the performance of the Agreement, to fulfil the obligations provided for by the aforementioned privacy regulations, where the Provider complies with:
- The Provider shall handle the relevant data exclusively to perform the activities outlined in the Agreement, lawfully and fairly, and in compliance with the provisions of personal data protection law, as well as the provisions of the Agreement itself.
- Regarding this DPA, the Provider shall be obliged to:
- comply with any requirements provided for by the GDPR, including future amendments and additions to existing privacy legislation;
- comply with the operational instructions and guidelines outlined herein, drafted in accordance with the GDPR;
- either return or destroy the personal data at the end of the handling of the same, as per the written instructions provided by the Customer and provide an appropriate certificate to ensure the personal data security and comply with legal formalities;
- maintain records of the processing activities performed on behalf of the Customer;
- ensure that the individuals entrusted with sensitive access have committed to confidentiality or are bound by appropriate confidentiality obligations;
- adopt and comply with all appropriate measures in accordance with the risk level of the processing, as outlined in Articles 32 et seq. of the GDPR;
- cooperate in the event of requests received from the Supervisory or Judicial Authorities pertaining to the processing operations covered by this deed, providing the Customer with all necessary information required to address the Authorities' inquiries in a timely manner;
- promptly inform the Customer if it directly receives requests from the Supervisory or Judicial Authorities or undergoes inspections, and cooperate for any necessary or requested actions and interventions;
- provide the Customer with the documentation necessary to demonstrate compliance with all obligations and to allow the performance of audits, including inspections, conducted by the Customer or designated Sub-processors;
- assist the Customer, whenever feasible, in fulfilling its obligation to respond to requests related to data subject's rights as per Articles 12 et seq. of the GDPR;
- promptly inform the Customer of any deficiencies identified in the security measures or any aspect of the processing that could potentially expose the Customer to civil and/or criminal liabilities, allowing appropriate precautions to be taken;
- inform the Customer without undue delay of any personal data breaches that occur during the processing carried out on its behalf and provide the Customer, within 24 hours of becoming aware of the breach, with relevant information that may have an impact on the security of the personal data processed;
- unless otherwise agreed upon with the Customer, store the data within Switzerland and the European Economic Area (EEA), including when the processing, in whole or in part, is carried out by any Sub-processors appointed in accordance with this DPA.
- The Provider may use Data Processor(s) (hereinafter also referred to as “Sub-Processor”) with prior written authorisation to manage specific processing activities, providing periodic updates to the Customer (at least every six months) regarding any appointment and/or replacement. The communication shall specify the delegated processing activities, the identifying information of the Sub-Processor, and the data of the outsourcing contract. The Sub-Processor must be bound to obligations similar to those provided by the Customer upon Provider, as stated in a specific contract or appointment agreement. It is the responsibility of the Provider to ensure that the Sub-Processor provides adequate guarantees in terms of expertise, reliability, and resources for implementing suitable technical and organisational measures to ensure compliance with the principles and requirements of the GDPR. Should the Sub-Processor fail to fulfil its data protection obligations resulting in a personal data breach, the Provider shall bear the full liability to the Customer for such shortcomings. The Customer reserves the right to verify the guarantees, and technical and organisational measures of the Sub-Processor through audits and inspections, including by making use of third parties. To this end, the Customer shall give the Sub-Processor at least five working days' notice in advance.
- Data processing is to be understood as being carried out, under Article 28 of the GDPR, under the supervision of the Customer, who may, at any time and with due notice, carry out audits and issue any further specific instructions for its performance, as well as request its termination if imposed by the need to comply with legal prohibitions or obligations, or with provisions of the Supervisory and/or Judicial Authorities.
This appointment of the Provider shall be deemed to be revoked, as of right, upon the expiration of the Agreement – which constitutes an integral and substantial part thereof – including any renewals, whether implicit or explicit, for any reason, of the aforementioned contractual relationship, effective from the date of such termination.
All communications provided for by this deed of appointment, as well as any communication concerning personal data protection in general, shall be made by registered letter with acknowledgement of receipt or by certified e-mail
IN WITNESS WHEREOF, this Agreement is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.
Customer Provider
Signature_________________________ Signature ___________________
Name____________________________ Name: _____________________
Title_____________________________ Title: ______________________
Date Signed_______________________ Date Signed: ________________
Signature_________________________ Signature ___________________
Name____________________________ Name: _____________________
Title_____________________________ Title: ______________________
Date Signed_______________________ Date Signed: ________________