Data processing agreement

Agreement 

 

between the customer (hereinafter referred to as "principal") 

 

and

 

IBV Informatik, Beratungs und Vertriebs AG, Stallikerstrasse 1a, 8906 Bonstetten, Switzerland

(hereinafter referred to as "Contractor")

 

on the processing of orders within the meaning of Article 28(3) of the Basic Regulation on data protection (GDPR). 

 

Preamble

This Agreement sets forth the obligations of the parties to the Agreement with respect to privacy arising out of the Collaboard Order Processing described in detail in the Collaboard Terms and Conditions and Privacy PolicyIt applies to all activities related to the Agreement in which employees of Collaboard or agents of Collaboard process personal data ("Data") of the Client.

 

1.     Subject and duration of the contract

(1)   The subject matter and duration of the order as well as the type and purpose of the processing result from the general terms and conditions and data protection declaration.

(2)   In particular, the following categories of personal data are processed: 

       Contact details of users (profile picture, surname, first name, e-mail address and similar);

       Contract data of users (subscription information, date of contract conclusion, etc.);

       Payment details;

       Usage behavior data (history of changes to projects, time of usage, etc.);

       identification data (cookies, login data, IP address and similar);

       Data stored in digital projects of the users on the Collaboard platform.

(3)   The personal data is collected and used to offer and improve the services provided in the context of registration, login and use of Collaboard. In addition, the personal data is used for communication with users and statistics.

(4)   The duration of this agreement shall be determined by the duration of the contract, unless the provisions of this agreement impose obligations going beyond the duration of the contract.

 

2.     Scope and responsibility 

(1)   The contractor processes personal data on behalf of the client. This includes activities that are specified in the contract and in the service description.

 

3.     Responsibility and right of instruction

(1)   As the person responsible pursuant to Art. 4 No.7 GDPR, the contractor is responsible for compliance with the data protection regulations, in particular for the selection of the subcontractor, the data transmitted to the subcontractor and the instructions issued. 

(2)   Contractor may process data only within the framework of the main contract and of the instructions of the principal (including, in particular, their rectification, erasure or limitation) and only insofar as the processing is necessary for this purpose, except where Contractor is obliged to do so by the law of the Union or of the Member States to which Contractor is subject, in which case Contractor shall notify the principal of these legal requirements prior to processing, unless the law in question prohibits such notification for an important public interest. 

(3)   The contracting parties may appoint persons authorized to give and receive instructions (especially if these do not already result from the main contract) and are obliged to inform about any changes without delay.

 

4.     Security concept and related obligations

(1)   The Contractor shall design the internal organization in his area of responsibility in accordance with the legal requirements and in particular shall take technical and organizational measures (hereinafter referred to as "TOMs") for appropriate security, in particular the confidentiality, integrity and availability of the Customer's data, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing as well as varying degrees of probability of occurrence and severity of the risk to the rights and freedoms of the persons concerned, and shall ensure that they are maintained. 

(2)   The Contractor shall ensure that the persons authorized to process the Client's data are bound to confidentiality and secrecy and have been instructed in the protective provisions of the GDPR or are subject to an appropriate statutory duty of confidentiality.

(3)   The data and data carriers provided within the scope of the contract and all copies made thereof shall remain the property of the Customer, shall be carefully stored by the Contractor, protected against access by unauthorized third parties and may only be destroyed with the Customer's consent, and then only in accordance with data protection regulations. Copies of data may only be made if they are necessary for the fulfilment of the main and secondary obligations of the contractor towards the contractor (e.g. backups).

 

5.     Information and cooperation obligations

(1)   Rights of affected persons must be exercised vis-à-vis the client, whereby the contractor supports the client in this respect in accordance with Art. 28 Para. 3 S. 2 lit. e GDPR and informs him in particular about the requests received by him from affected persons. 

(2)   The Client shall inform the Contractor immediately and in full if it discovers any errors or irregularities with regard to the processing of the data with regard to compliance with the provisions of this Agreement or relevant data protection regulations.

(3)   In the event that the Contractor discovers facts which give reason to assume that the protection of the data processed for the Client has been violated, the Contractor shall inform the Client immediately and completely, take the necessary protective measures without delay, and assist the Client in fulfilling the obligations incumbent on the Client pursuant to Articles 33 and 34 of the GDPR.

(4)   If the security of the Customer's data is endangered by measures taken by third parties (e.g. creditors, authorities, courts, etc.) (seizure, confiscation, insolvency proceedings, etc.), the Contractor shall inform the third parties without delay that the sovereignty and ownership of the data lies exclusively with the Customer and, after consultation with the Customer, shall take appropriate protective measures if necessary (e.g. lodge objections, applications, etc.).

(5)   The Contractor shall inform the Client without delay if a supervisory authority takes action in respect of the Contractor and whose activities may affect the data processed for the Contractor. The Contractor shall support the Principal in the performance of his duties (in particular to provide information and tolerate controls) vis-à-vis supervisory authorities (Art. 31 GDPR).

(6)   The Contractor shall provide the Client with information concerning the processing of data within the scope of this Agreement which is necessary for the Client to fulfil its statutory obligations (which may include, in particular, inquiries from affected persons or authorities and compliance with its accountability obligations pursuant to Art. 5 para. 2 GDPR, as well as the performance of a data protection impact assessment pursuant to Art. 35 GDPR), unless the Client is unable to obtain this information itself. The information must be available to the contractor and need not be obtained from third parties, whereby employees, agents and subcontractors of the client are not considered third parties.

(7)   If the provision of the necessary information and cooperation exceeds the contractor's obligation to perform under the main contract and is not based on misconduct on the part of the contractor, the customer shall separately remunerate the contractor for any additional work and expenses incurred.

 

 

6.     Subcontracting

(1)   Where the contractor uses the services of a sub-processor (i.e. sub-contractor or subcontractor) to carry out certain processing activities on behalf of the principal, the contractor must impose on the sub-processor, by means of a contract or any other legal instrument permissible under the GDPR, the same data protection obligations as those to which the contractor has committed itself in this contract, in particular as regards following instructions, complying with the TOMs, providing information and tolerating checks). Furthermore, the contractor must carefully select the subcontractor, check its reliability and monitor it and its compliance with the contractual and legal requirements. Without prejudice to any restrictions imposed by the main contract, the Customer expressly agrees that the Contractor may use subcontractors in the context of processing the order. Any subcontracting relationships already existing at the time of the conclusion of this contract shall be deemed to be approved by the Contractor.

(2)   The Contractor shall inform the Client of any changes in the subcontractors that are relevant to the processing of the order. The contracting authority shall exercise its right of objection with regard to the changes or new sub-processors only in accordance with the principles of good faith and of reasonableness and fairness.

(3)   Contractual relationships in which the Contractor uses the services of third parties as a purely ancillary service in order to carry out its business activities (e.g. cleaning, guarding or transport services) do not constitute subcontracting within the meaning of the above provisions of this contract. Nevertheless, the Contractor shall ensure, e.g. by means of contractual agreements or notices and instructions, that the security of the data is not jeopardised in this connection and that the provisions of this contract and the data protection regulations are complied with. 

(4)   The Contractor shall have the right to monitor compliance with the statutory requirements and the provisions of this contract, in particular the TOMs at the subcontractor's premises to the extent necessary at any time.

 

7.     Processing in third countries

(1)   The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another state that is a party to the Agreement on the European Economic Area, in particular Switzerland. 

(2)   Contract processing in a third country, including by subcontractors, requires the prior consent of the principal and may be carried out only if the special conditions laid down in Art. 44 et seq. GDPR are fulfilled, unless the contractor is obliged to process in the third country by the law of the Union or member states to which the contractor is subject.

(3)   The appropriate level of protection in a third country is determined in the case by an adequacy decision of the Commission pursuant to Art. 45 para. 3 GDPR or by standard data protection clauses pursuant to Art. 46 para. 2 lit. c,d GDPR. 

 

8.     Correction, restriction and deletion of data

(1)   The correction, deletion or restriction of the processing of personal data requires documented instructions from the client. 

 

9.     Liability

Liability is determined in accordance with Art. 82 GDPR. 

 

10.  Technical and organizational measures (TOM)

The following technical and organizational measures (TOM) are basic for data processing:

(1)   Access control: No unauthorized access to data processing systems, minimum measures are e.g.: magnetic or chip cards, keys, electric door openers, plant security or gatekeepers, alarm systems and/or video systems;

(2)   Access control: no unauthorised use of the system, e.g: (secure and enforced) passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers;

(3)   Access control: No unauthorized reading, copying, modification or removal within the system, e.g: Authorization concepts and need-based access rights, logging of accesses;

(4)   Pseudonymisation: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the need for additional information, provided that this additional information is kept separately and is subject to appropriate technical and organizational measures;

(5)   Encryption;

(6)   Input control: Determination of whether and by whom personal data have been input, modified or removed in data processing systems, e.g. logging, document management

(7)   Passing on control: Reading, copying, modification by unauthorized persons is not permitted during electronic transmission or transport, e.g. VPN, electronic signature.

(8)   Availability control: Measures to ensure that personal data is protected against accidental destruction or loss, e.g. backup copies of the data stock, backup copies, uninterruptible power supply, virus protection, firewall;

(9)   Separation control: measures to ensure that data collected for different purposes are processed separately;

(10)Procedures for regular review, assessment and evaluation: data protection-friendly presettings, job control, data protection management.

 

The technical and organizational measures are subject to technical progress and further development. The Contractor is permitted to implement alternative adequate measures which do not fall below the safety level of the measures already agreed. 

 

11.  Subcontractor

 

Service

Address

Purpose

Personal data

Hub spot

HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland

CRM system 

IP address, e-mail address, contact data, login data, cookie data, support content

 

Microsoft Azure

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

server hosting

E-mail address of user, IP address, user name, user content

Version 1.0, Bonstetten, June 6, 2020