TIN No.: CHE‑412.131.272
(the “Data Processor”)
Each individual locize customer that inweso GmbH processes data for and that has not otherwise entered into a valid data processor agreement with inweso GmbH
(the “Data Controller”)
(hereinafter referred to individually as a “Party” or together as the “Parties”)
1. INTRODUCTION AND DEFINITIONS
The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, the DPA will prevail.
(1) This DPA regulates the rights and obligations of the Parties in the context of the processing of personal data on behalf of the customer.
(2) This DPA applies to all activities in which employees of the Data Processor or subcontractors commissioned [ordered] by the Data Processor process personal data of the Data Controller on its behalf.
2. PURPOSE, SCOPE AND RESPONSIBILITIES
2.1 The Data Processor shall only process personal data in accordance with the applicable data protection laws and the terms of this DPA.
2.2 The Data Processor shall process personal data for the limited purpose of performing the obligations set out under the Agreement and only within the scope of Controller's written instruction.
2.3 Data processing by the Data Processor shall include such actions as may be specified in the Agreement.
2.4 The term of this DPA shall continue until the latter of the following; the termination of the Agreement, or the date at which the Data Processor ceases to process personal data for the Data Controller.
3. SUBJECT MATTER AND DATA FLOW
The Data Processor is a software development company, assigned by the Data Controller to make available to the Data Controller software as a service for supporting the localization process. The content of this DPA reflects the limited amount of personal data the Data Processor handles for the Data Controller.
Categories of Data Subjects
Data Controller may submit Personal Data to the services, the extent of which is determined and controlled by Data Controller in its sole discretion, and which may include, but is not limited to Controller’s contacts and other end users including Controller’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Data Controller’s end users.
Types of Personal Data
Subject-Matter and Nature of the Processing
Processing shall begin on first usage of the services and continue indefinitely until termina-tion of the Agreement or this DPA by either party
Deletion or return of Controller Personal Data
Subject to statutory obligations to retain documentation, Data Processor shall promptly and in any event within 20 business days of the date of cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Controller Personal Data.
Marking data as deleted will be done immediately and the definitive deletion will occur by an automatic cleaning routine.
The data may be still existent in technical backups, which will also be automatically deleted later on.
4. CONTROLLER RESPONSIBILITY
Within the scope of the Agreement and in its use of the services, Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Data Processor and the Processing of Personal Data. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with the Data Protection Law. This DPA is Customer’s complete and final instruction to inweso GmbH in relation to Personal Data and that additional instructions outside the scope of DPA would require prior written agreement between the parties. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Controller in separate written instructions (as individual instructions). Oral instructions have to be confirmed in writing or in a documented electronic format.
Controller shall inform Data Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.
The Controller is obliged to treat all knowledge of business secrets and data security measures of the Data Processor obtained within the scope of the contractual relationship as confidential. This obligation shall remain in force after the termination of this DPA or the Agreement
5. OBLIGATIONS OF PROCESSOR
a. Compliance with Instructions
The Parties acknowledge and agree that Customer is the Controller of Personal Data and inweso GmbH is the Data Processor of that data. Data Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions and not for own pur-poses of the Data Processor. If the Data Processor believes that an Instruction of the Con-troller infringes the Data Protection Law, it shall immediately inform the Controller without delay. If Data Processor cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable law, Data Processor will (i) promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Controller is-sues new instructions with which Data Processor is able to comply. If this provision is in-voked, Data Processor will not be liable to the Controller under the Agreement for any fail-ure to perform the applicable services until such time as the Controller issues new instruc-tions in regard to the Processing.
Data Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, but are not limited to:
i. the prevention of unauthorized persons from gaining access to Personal Data Processing systems,
ii. the prevention of Personal Data Processing systems from being used without authorization,
iii. ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization,
iv. ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified,
v. ensuring that Personal Data is Processed solely in accordance with the Instructions,
vi. ensuring that Personal Data is protected against accidental destruction or loss.
vii. implementing and maintaining the technical and organisational measures which constitutes the agreed minimum standard by the processor to comply with Article 32 para. 1 GDPR
More detailed information about security by the Data Processor can at every given time be asked upon request to the Data Processor.
Data Processor will facilitate Controller’s compliance with the Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures, (ii) complying with the terms of Section 5.d. (Personal Data Breaches); and (iii) providing the Controller with information in relation to the Processing.
The Data Processor agrees that the Controller is entitled – after prior appointment – to verify compliance with the regulations on data protection and data security as well as with the contractual agreements to an appropriate and necessary extent, either through Controller himself or through a third party appointed by the Controller, in particular by obtaining information and inspecting the stored data and the data processing programs as well as by checks and inspections on site. If inspections should be necessary by the Controller or a third party ap-pointed by the Controller, these will be carried out during normal business times without interfering with the business operations. If the third party appointed by the Controller is a competitor of the Data Processor, the Data Processor has the right to object to inspection through the appointed third party.
The Data Processor undertakes to maintain confidentiality when processing Controller's Personal Data. Data Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.
d. Personal Data Breaches
Data Processor will notify the Controller without undue delay after it becomes aware of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Data Processor will promptly provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law.
e. Deletion or Retrieval of Personal Data
Subject to statutory obligations to retain documentation, following termination or expiration of the Agreement, Data Processor will delete or return all Personal Data (including copies thereof) processed pursuant to this DPA. If Data Processor is unable to delete Personal Data for technical or other reasons, Data Processor will apply measures to ensure that Personal Data is blocked from any further Processing.
Controller shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period of time set by Data Processor, the reasonable measures to return data or to delete stored data. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by Controller.
f. Data Protection Impact Assessments and Consultation with Supervisory Authorities
To the extent that the required information is available to Data Processor and the Controller does not otherwise have access to the required information, Data Processor will provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the processing of Personal Data.
g. Data Protection Officer
Where required by law,
Mr. Adriano Raiano
Director, inweso GmbH
Email: [email protected]
has been appointed as Data Protection Officer.
6. DATA SUBJECT REQUESTS
Data Processor will enable Controller to respond to requests from Data Subjects to exercise their rights under the applicable Data Protection Law in a manner consistent with the functionality of the service. To the extent that Controller does not have the ability to address a Data Subject request, then upon Controller’s request Data Processor shall provide reasonable assistance to the Controller to facilitate such Data Subject request to the extent able and only as required by applicable Data Protection Law. Controller shall reimburse Data Processor for the commercially reasonable costs arising from this assistance.
Data Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Data Processor, Processor will promptly inform Controller and will advise Data Subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any Data Subjects’ requests.
a. Appointment of Sub-Processors
Where Data Processor engages sub-Processors, Data Processor will enter into a contract with the sub-Processor that imposes on the sub-Processor the same obligations, including the application of appropriate technical and organizational measures, that apply to Data Processor under this DPA and the applicable data protection law. Where the sub-Processor fails to fulfill its data protection obligations, Data Processor will remain liable to the Controller for the performance of such sub-Processors obligations.
Where a sub-Processor is engaged, the Controller must be granted the right to monitor and inspect the sub-Processor’s activities in accordance with this DPA and the Data Protection Law, including to obtain information from the Data Processor, upon written request, on the substance of the contract and the implementation of the data protection obligations under the sub-Processing contract, where necessary by inspecting the relevant contract documents.
The provisions of this section shall mutually apply if the Data Processor engages a sub-Processor in a country outside the European Economic Area (“EEA”) not recognized by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this DPA, inweso GmbH transfers any Personal Data to a sub-Processor located outside of the EEA, inweso GmbH shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
b. Current Processor List and Notification or Objection to New Sub-Processors
8. DATA TRANSFER
The Data Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Controller. If personal data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
9. GOVERNING LAW AND JURISDICTION
9.1 This DPA is governed by Swiss law.
9.2 Any dispute arising out of or in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Zurich, subject to possible appeal to the Swiss Federal Supreme Court in Lausanne.
10. CHANGES TO OUR DPA
This DPA may change from time to time in line with legislation or industry developments. We will not explicitly inform our website users of these changes but our clients will get informed 14 days upfront of any sensible change via in app notification and email. For website users we recommend that you check this page occasionally for any changes. Specific changes and updates are mentioned in the change log below.
11. Change log
- made DPA publicly available