This agreement governs the rights and obligations of the Client and Leftclick AG as Processor (together the "Parties") in connection with the processing of personal data under data protection law (collectively the "Processing") of personal data (collectively the "Personal Data").
This agreement applies to all activities in which the Processor processes Personal Data on behalf of the Client, in whole or in part, or has such Personal Data processed on its behalf (collectively "process").
The Processor is subject to Swiss data protection law, in particular the applicable Federal Act on Data Protection (FADP).
By means of this agreement, the Processor enables the Client to comply with the applicable data protection requirements for Processing, in particular pursuant to Art. 10a FADP or Art. 9 of the new Swiss Federal Act on Data Protection (nFADP) entering into force on 1 September 2023.
The Processing is carried out in accordance with existing or future contractual agreements between the Parties. The provisions of this agreement take precedence in case of conflict between this agreement and other contractual arrangements between the Parties.
The Processing covers any handling of Personal Data regardless of the means and procedures used, in particular archiving, storing, disclosing, collecting, deleting, retaining, modifying, destroying and using Personal Data. Personal Data comprises all information relating to an identified or identifiable individual.
The Processing covers the categories of Personal Data listed in Annex 1. The Processing covers the categories of data subjects whose Personal Data is processed as set out in Annex 2.
Term
The Processor processes Personal Data for an indefinite period until termination of this agreement or the last contractual arrangement between the Parties involving Processing.
Instructions
The Processor processes Personal Data solely as contractually agreed or in accordance with documented instructions from the Client, unless the Processor is legally or regulatorily obliged to carry out specific processing. In such a case, the Processor informs the Client upon request about this legal or regulatory obligation unless the information is legally prohibited.
The Client may issue additional documented instructions throughout the entire term of the Processing.
The Processor promptly informs the Client if it believes that contractual arrangements or issued instructions infringe applicable data protection requirements.
Purpose Limitation
The Processor processes Personal Data exclusively for the purpose(s) specified in the contractual agreements between the Parties (Section 2.1), unless the Processor receives further documented instructions from the Client.
The Processor implements at least the technical and organizational measures (TOM) specified in Annex 3 to ensure the security of the Personal Data processed. These measures particularly include protecting Personal Data against security breaches that, whether accidental or unlawful, result in unauthorized disclosure of Personal Data, unauthorized access to Personal Data, or alteration, loss, or destruction of Personal Data (collectively the "Data Security Breaches").
The Processor grants its personnel access to Personal Data only to the extent necessary for the execution, monitoring and administration of this agreement. The Processor ensures that authorized persons are bound by confidentiality or are subject to an appropriate statutory duty of secrecy.
The Parties must be able to demonstrate compliance with this agreement.
The Processor handles requests from the Client regarding Processing under this agreement appropriately and without undue delay.
Upon request, the Processor provides the Client with all information required to demonstrate compliance with the requirements set out in this agreement and resulting directly from applicable data protection provisions.
The Processor enables the Client, upon request, to audit the Processing pursuant to this agreement at reasonable intervals or where there is documented evidence of non-compliance, and contributes to such audits.
The Client may perform an audit itself or through an independent auditor. Such audits are limited to one day per calendar year. Audits may also include inspections of the Processor's physical facilities if necessary, provided they take place during normal business hours without disrupting operations and subject to reasonable advance notice. Such inspections are only permitted if the audit cannot be carried out through other suitable evidence such as attestations, documentation, certificates or certifications, particularly for data centers.
The Client bears the Processor's costs for audits under Sections 5.4 and 5.5.
The Parties provide the competent supervisory authority or authorities with the information mentioned in this Section 5, including audit results, upon request unless disclosure is legally prohibited.
The Client grants the Processor general authorization to engage subprocessors listed in Annex 4.
The Processor notifies the Client at least 14 days in advance, electronically or in writing, of any intended changes to this list by replacing or adding subprocessors. This grants the Client sufficient time to raise objections before engagement. The Processor provides the information necessary for the Client to exercise its right to object.
If no timely objection is raised, the intended changes are deemed approved. If the Parties cannot reach an amicable resolution following an objection and the Client is unwilling to withdraw it, either Party may extraordinarily terminate this agreement with effect as of the planned changes.
The Processor must impose substantially the same contractual obligations on subprocessors as those applicable to the Processor under this agreement. The Processor ensures that every subprocessor complies with the obligations applicable to the Processor under this agreement and relevant data protection requirements.
Any export of Personal Data to a country outside Switzerland and the member states of the European Economic Area (EEA) or to an international organization occurs solely as contractually agreed or pursuant to documented instructions from the Client, unless the Processor is legally obliged to carry out a specific data export. In such cases, the Processor informs the Client about this obligation unless disclosure is legally prohibited.
Any export of Personal Data to a country outside Switzerland and the EEA generally takes place only if the data protection laws of that country guarantee an adequate level of protection both from the perspective of the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the Swiss Federal Council and from the perspective of the European Commission.
Export of Personal Data to a country outside Switzerland and the EEA whose data protection laws do not ensure an adequate level of protection may only occur exceptionally if another mechanism ensures an adequate level of protection under applicable data protection requirements, particularly pursuant to international agreements or based on valid Standard Contractual Clauses adopted by the European Commission. The Processor may adapt or supplement such European Standard Contractual Clauses in line with FDPIC recommendations to ensure they also meet Swiss data protection requirements and thus provide an adequate level of protection for data exports from Switzerland.
The Processor promptly informs the Client of any request it receives from a data subject relating to the Processing. The Processor may acknowledge receipt to the data subject but does not otherwise respond unless authorized by the Client.
Taking into account the nature of the Processing, the Processor assists the Client in fulfilling its obligation to respond to data subjects' requests to exercise their rights, following the Client's instructions.
Further assistance duties
Maintaining any required records of processing activities.
Conducting data protection impact assessments where planned processing by the Client is likely to result in a high risk to data subjects' rights or personality.
Consulting the competent supervisory authority or authorities prior to processing if a data protection impact assessment indicates that the planned processing remains high-risk despite envisaged measures.
Ensuring that Personal Data is accurate and up to date by promptly informing the Client if the Processor determines that Personal Data it processes is inaccurate or outdated.
Ensuring risk-appropriate data security, in particular through suitable technical and organizational measures (TOM) pursuant to Section 4.
The Client bears the Processor's costs for the assistance described in Sections 8.1, 8.2 and 8.3 points 1–4.
In the event of a Data Security Breach, the Processor cooperates with and assists the Client in fulfilling its obligations to notify the competent supervisory authority or authorities and to inform affected data subjects, taking into account the nature of the Processing and the information available to the Processor.
Breaches affecting Personal Data processed by the Client
In case of a breach affecting Personal Data processed by the Client, the Processor assists the Client as follows:
Supporting the prompt notification of the breach to the competent supervisory authority or authorities after the Client becomes aware of it, where required (unless the breach is unlikely to result in a high risk to data subjects' rights or personality), and, once available, obtaining the information that must be included per applicable data protection requirements.
Supporting the notification of affected data subjects where required to protect them or mandated by a competent supervisory authority.
The Client bears the Processor's costs for the assistance described in this Section 9.2.
Breaches affecting Personal Data processed by the Processor
The Processor informs the Client without undue delay upon becoming aware of a breach affecting Personal Data it processes.
As part of this notification, the Processor provides, as soon as available, the information the Client requires under applicable data protection law, in particular:
A description of the nature of the breach (where possible indicating the categories and approximate number of affected persons and data records).
Contact details of a point of contact for additional information about the breach.
Likely consequences of the breach and measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.
The Processor bears the costs for the assistance under this Section 9.3.
If the Processor fails to comply with this agreement, the Client may instruct the Processor to suspend the Processing of Personal Data until the Processor complies or the agreement ends. The Processor informs the Client immediately if it is unable to comply with this agreement for any reason.
Liability is governed by any applicable liability provisions in the contractual agreements between the Parties (Section 2.1).
The Client may terminate this agreement extraordinarily and with immediate effect if:
the Client has suspended Processing under Section 10 and compliance with this agreement has not been restored within a reasonable period, in any case no later than one month after suspension;
the Processor materially or persistently breaches this agreement or fails to meet applicable data protection requirements;
the Processor fails to comply with a binding decision of a competent supervisory authority or court concerning the Processor's obligations under applicable data protection law.
The Processor may terminate this agreement extraordinarily and with immediate effect if the Client insists on implementing a contractual arrangement or instruction after being informed by the Processor pursuant to Section 3.2.3 that it infringes applicable data protection requirements.
Either Party may terminate this agreement with three months' notice to the end of a month, unless contractual agreements between the Parties provide no or a different notice period.
Upon termination, the Processor, at the Client's choice, deletes all Personal Data processed on behalf of the Client and certifies deletion, or returns all Personal Data to the Client and deletes existing copies, unless the Processor is legally or regulatorily entitled or obliged to retain the Personal Data. If the Client does not communicate its choice within four weeks after termination, the Processor deletes the Personal Data. Until deletion or return, the Processor ensures compliance with this agreement.
This agreement may be concluded electronically or in writing and may form part of general terms and conditions or similar legal texts. Amendments may also be made electronically.
The Parties inform each other of any data protection advisor or data protection officer pursuant to applicable data protection requirements.
The Parties must keep all knowledge of each other's trade secrets and Personal Data obtained under this agreement confidential beyond termination, unless a Party is legally obliged to disclose specific information. In such cases, the obliged Party informs the other Party unless legally prohibited. In case of doubt, information must remain confidential until explicitly released by the other Party.
If any provision of this agreement is unenforceable, invalid or ineffective, the remaining provisions remain unaffected. The Parties replace the affected provision with one that is enforceable, valid and effective, and that best achieves the intended data protection outcome.
This agreement is governed exclusively by Swiss law. Conflict-of-law provisions and the UN Sales Convention are excluded. The exclusive place of jurisdiction is the Processor's registered office.
Technical and Organizational Measures (see page Technical and Organizational Measures).
Subprocessors (see page Sub-processors).