Data Processing Agreement (DPA) between the owner of a Hoop account (“Customer”) and Hoop Corporate SA, Heiligkreuzstrasse 5, 9008 St. Gallen (“Contractor”).
Individually referred to as a “Party” or collectively as “Parties”
1. Preamble
(1) The Customer commissions the Contractor with tasks for processing of personal Data (“Data”) within the meaning of data protection provisions. Here, the Contractor can be a data processor or an further data processor within the meaning of data protection law. Such tasks occur within the framework of performing contracts, warranty rights, hosting and service solutions, support inquiries, maintenance work, or other tasks in which the Contractor receives access to Data (also using “remote access” or data backups) or receives access to it or can become aware of it in another way by the Customer or its clients.
(2) This Agreement is executed to comply with the legal requirements. It will apply to all activities in connection with contracts concluded between the Parties in which employees of the Contractor or agents commissioned by the Contractor process the Customer’s Data (this also includes Data from the Customer’s clients). In addition, this Agreement will apply to any further contracts providing for data processing that the Parties may conclude with each other in the future.
2. Subject Matter of the Agreement
(1) The subject matter of this Agreement as well as its nature and purpose, are defined by the individual contracts concluded between the Parties that include data processing activities, and to which reference is made here.
(2) The data processing shall be performed by the Contractor in Switzerland and in Member States of the EU. Processing in a third country shall occur in compliance with the consent of the Customer granted herein. The Customer is responsible for ensuring that the necessary legal basis for lawful data processing outside of Switzerland exists.
(3) Any further offshoring of the data processing or of sub-operations thereto in additional third countries shall only occur when the special requirements under data protection law have been satisfied (e.g., adequacy decision, standard data protection clauses, approved codes of conduct, or another suitable guarantee for the data transmission).
(4) Further data processors are currently used to provide data processing in Switzerland and for sub-operations of data processing in Member States of the EU. When using software and tools from data processors outside of Switzerland, the Contractor shall attempt whenever possible to find an on prem or server solution in Switzerland. The current list of the Contractor’s additional processors, which is part of this Agreement, applies.
3. Term of the Agreement
(1) The term of this Agreement shall be governed by the term of the contracts having as their object data processing between the Parties insofar as no additional obligations or termination rights result from the provisions of this Agreement.
(2) The Parties can terminate this Data Processing Agreement by complying with a notice period of 4 weeks in the event of a serious violation of data protection regulations or of the provisions of this Agreement. In case of minor violations—that is, neither intentional nor grossly negligent violations—the aggrieved Party shall set a reasonable time period within which the breaching Party can remedy the violation.
4. Nature and Purpose of the Processing, Nature of the Data, as well as Categories of Data Subjects
(1) The activities of the Contractor comprise services that are related to the services described in the individual contracts concluded between the Parties and for which data processing by the Contractor may be required.
The activities of the Contractor may comprise the following:
- Hosting of applications, software solutions, and Data
- Installation and testing of software at the Customer’s or its clients’ site
- Remedial actions to services provided
- Maintenance, installation, and testing of provided hotfixes, service packs, and new versions of the software
- Activities in the context of support
- Access to and processing of Data of Customer or its clients
- Receiving and processing data backups
The following types of processing are possible:
- collection, recording, organisation, or structuring of Data
- storage, adaptation, or alteration of Data
- retrieval, consultation, use, and disclosure of Data by transmission
- dissemination or otherwise making available, alignment or combination of Data
- restriction, erasure or destruction of Data
(2) The types of Data processed as well as the categories of data subjects are derived from the individual scope of the contract and the services to be provided.The following types of Data may be affected:
- Basic personal Data
- Copies and details of identity or identification papers
- Information about professional life such as job titles, functions, etc.
- Information about private life such as place of residence, marital status, etc.
- User information such as login data, customer number, user behaviour, consumer behaviour
- Communications data (e.g., telephone, e-mail address)
- Contract master data (contract title, product or contract interest)
- Customer history
- Contract invoicing or payment data
- Planning and control data
- Project data
- Reference information (from third parties, e.g., credit reference agencies, data from public directories)
- Technical information such as IP address, device information, etc.
- Any Data that the Customer transfers to the Contractor within the framework of data processing
In addition, special categories of personal data/sensitive personal data may be affected; in each case, Data is classified in accordance with the applicable data protection legislation.
This Data may affect the following categories of data subjects:
- Natural persons such as the Customer, employees of the Customer, applicants, freelancers, employees of (potential) clients, end clients and business clients, subscribers to the Customer’s contract products, prospective customers, business partners, suppliers, commercial agents, salespersons, and dealers as well as their respective employees as contact persons
- In the case of legal persons, their natural persons such as their employees, employees of their business partners, contracting partners, service recipients, service providers, or other vicarious agents of (potential) clients, suppliers, salespersons, dealers
- In case of other entities, their natural persons such as the employees of public sector entities, in the form of business partners, contracting partners, service recipients, service providers, or other vicarious agents of (potential) clients, suppliers
5. Rights and Authority to Issue Instructions as well as Obligations of the Customer
(1) The Customer and its clients are solely responsible as data controllers (hereinafter “Data Controllers”) within the meaning of data protection provisions for assessing the permissibility of the processing as well as for safeguarding the rights of the data subjects. The Contractor shall forward all inquiries to the Customer insofar as they are identifiably addressed to the Customer or to a Data Controller.
(2) Changes to the object of processing and changes in processes may be coordinated jointly between the Customer and the Contractor and specified in writing or in a documented electronic format.
(3) The Customer has the right to issue instructions to the Contractor and shall normally issue such instructions in writing or in a documented electronic format. The Customer shall confirm oral instructions without delay in writing or in a documented electronic format. The instructions shall be retained for their applicability period and subsequently for at least three full calendar years. Instructions that are not provided for in the individual contract shall be treated as a request for a change in services and shall be paid for by the Customer accordingly.
(4) Persons at the Customer entitled to issue instructions and persons at the Contractor receiving instructions shall be specified individually between the Parties, including the communication channels to be used.
(5) The Customer shall inform the Contractor without delay when the Customer has discovered breaches in the protection of the Data, errors or irregularities during auditing of the contract performance results, or if such become known to it. The Contractor shall take the necessary measures to secure the Data and to mitigate possible adverse consequences for the data subjects and may consult with the Customer in this regard.
(6) The Customer and its clients are the sole Controllers for the Data that is provided to the Contractor. The Customer warrants that this Data was processed in a lawful manner (duty to provide information, legal basis, compliance with data protection principles, etc.), and may be further processed by the Contractor. The Customer shall be solely responsible for assessing the permissibility of data processing and for preserving the rights of the data subjects.
(7) In principle, the Customer will pay reasonable compensation based on the time and expense actually incurred for support services from the Contractor that were not caused by misconduct of the Contractor. The Contractor’s customary hourly rates will apply.
6. Obligations of the Contractor
(1) The Contractor processes Data exclusively within the framework of the agreements made and according to documented instructions of the Customer unless the Contractor is obligated to carry out different processing under individually applicable laws and regulations (e.g., investigations by criminal prosecution authorities or national security authorities); in any such case, before processing, the Contractor shall inform the Customer of these statutory requirements unless the statutory provisions in question prohibit such disclosure in order to protect an important public interest. The purpose, nature and extent of data processing shall be governed exclusively by the present Agreement and/or the Customer’s instructions.
(2) The Contractor shall promptly inform the Customer if an instruction given by the Customer obviously violates statutory provisions. The Contractor is entitled to suspend implementation of the corresponding instruction until it is confirmed or amended by the Data Controller or by the Customer after review. If the Contractor can demonstrate that carrying out a processing operation according to the Customer’s instructions would render the Contractor liable, the Contractor is entitled to refrain from further processing pending clarification of the liability between the Parties.
(3) The Data made available for processing shall not be used by the Contractor for any other purposes, particularly not for the Contractor’s own purposes. No copies or duplicates of the Data shall be created without the Customer’s knowledge. Backup copies are excluded from this insofar as they are necessary to ensure orderly data processing, as well as Data that is necessary for compliance with statutory retention periods.
(4) The Contractor is not permitted to correct, delete, or limit the processing of Data processed under the Agreement autonomously, but only following documented instruction by the Customer.
(5) Within its area of responsibility, the Contractor shall design and monitor its internal organisation in such a way that it meets the special requirements of data protection.
(6) The Contractor shall maintain a list of all categories of processing activities carried out on behalf of the Customer, which shall include all of the information necessary for a record of processing activities.
(7) The Data processed for the Customer shall be strictly separated from other databases. Physical separation is not absolutely necessary.
(8) The data carriers originating from the Customer and/or used on behalf of the Customer shall be marked separately. Their receipt and dispatch as well as their ongoing use shall be documented.
(9) The Contractor shall cooperate to the necessary extent with the Customer in complying with the rights of the data subjects, the security of the processing, reporting of data protection violations, notification of data subjects affected by a violation of the protection, in necessary data protection impact assessments by the Customer as well as in necessary consultations with a supervisory authority, and reasonably support the Customer to the extent possible.
(10) Processing Data outside of the Contractor’s premises, for instance in employees’ home offices, is hereby permitted by the Customer. In such cases, the appropriate technical and organisational data security measures are taken.
(11) The Contractor agrees to maintain confidentiality at all times while processing the Data under the Agreement. This duty shall continue in effect even after the end of this contractual relationship. The Contractor shall also comply with relevant confidentiality protection rules that the Customer is subject to.
(12) Prior to commencing the processing activities, the Contractor has familiarised the employees tasked with performing data processing and other persons working for the Contractor with the provisions of data protection relevant for them, and has obligated them in a suitable fashion to maintain confidentiality for the period of their activity as well as after termination of the employment or other relationship. The employees are prohibited from processing the Data outside of the Customer’s instructions unless the employees are obligated by law to carry out the processing.
(13) A data protection officer has been appointed at the Contractor. The current contact data has been published on the Contractor’s website in easily accessible form.
7. Notification Obligations of the Contractor in case of Data Breaches
(1) When the Contractor becomes aware of a data breach or a breach of data security, the Contractor shall notify this to the Customer orally, in writing or in textual form without undue delay after becoming aware of it.
(2) The notification to the Customer shall at least:
(3) and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(4) describe the measures taken or proposed to be taken by the Contractor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(5) Whenever a duty to provide information exists vis-à-vis third parties (such as the data subjects) or another statutory reporting obligation applicable to the Customer or a Data Controller (e.g., to a supervisory authority), the Customer or the Data Controller is responsible for complying with such duty.
8. Sub-Processing Relationships with further Data Processors
(1) Such sub-processing relationships include those services that relate directly to providing the main service or portions of the main service as provided for under this Agreement. Purely ancillary services such as telecommunications, postal, or transport services, cleaning services, or security services without a specific connection to services that the Contractor provides for the Customer are not included. Preventive maintenance, maintenance, and audit services as well as disposing of data carriers represent such sub-processing relationships insofar as access to or knowledge of the Customer’s Data is possible and insofar as they are provided for IT systems that are also used in connection with providing services for the Customer.
(2) Commissioning further data processors (e.g., addition or replacement) for processing the Customer’s Data is hereby generally permitted for the Contractor. A current list of such further commissioned data processors is available from the Contractor. The Customer hereby declares its consent to their assignment.
(3) The Contractor shall inform the Customer of every intended change with regard to the addition of new or the replacement of previous such commissioned data processors, by which the Customer receives the opportunity to raise objections to such changes.
(4) If no objection is raised by the Customer within the reasonable period communicated by the Contractor, the Customer agrees to the change. If an objection is made within the time limit, the commissioning shall not be permitted. In such a case, the Parties shall find a solution by mutual consent with respect to the additional data processor. If no solution by mutual consent can be found, the parties shall have an extraordinary right of termination. In emergency situations, the Customer shall raise its objection without delay.
(5) The Contractor shall ensure that it carefully selects the further data processor.
(6) Commissioning further data processors in third countries shall only be permissible when the special requirements under data protection law have been satisfied (e.g., adequacy decision, standard data protection clauses, approved codes of conduct, or another suitable guarantee for the data transmission). The Contractor shall ensure this by implementing corresponding measures. If, on the other hand, such transmission of personal data is activated by the Customer itself, compliance with the corresponding provisions shall be the sole duty of the Customer.
(7) The Contractor shall ensure by contract that the agreed upon regulations between the Customer and the Contractor will also apply vis-à-vis further data processors. The contract with the further data processor shall be drafted in written or electronic form.
9. Technical and Organisational Measures
(1) A level of protection appropriate to the risk to the rights and freedoms of the data subjects affected by the processing shall be ensured for the specific data processing. The goals of protection such as confidentiality, integrity, and availability of the systems and services as well as their resilience with regard to the nature, scope, circumstances, and purpose of the processing will be taken into account in such a way that the risk will be reduced on an ongoing basis, using suitable technical and organisational remedial measures.
(2) A list of the technical and organisational measures taken by the Contractor is available from the Contractor upon request. The measures contained therein represent the appropriate measures implemented by the Contractor to ensure a level of security appropriate to the risks assessed, taking into account the protection goals and the state of the art.
(3) As needed as well as at regular intervals, the Contractor will carry out a process to test, assess and evaluate the effectiveness of the technical and organisational measures for ensuring the security of the processing. The result together with the audit report may be communicated to the Customer upon request. The measures at the Contractor may be adjusted to technical and organisational developments over the course of the data processing relationship.
(4) Insofar as the measures taken at the Contractor do not satisfy the Customer’s requirements, the Customer shall notify the Contractor immediately.
10. Rights and Claims of the Data Subjects
(1) The Contractor shall support the Customer to the extent possible with suitable technical and organisational measures in the performance of the Customer’s duties with regard to inquiries and claims of the data subjects.
(2) If a data subject contacts the Contractor with demands for correction, blocking, deletion, or access, the Contractor shall immediately refer the data subject to the Customer insofar as an obvious allocation to the Customer is possible according to the information from the data subject, and shall await the Customer’s instructions.
(3) The Contractor is only permitted to provide information to third parties about Data from the data processing relationship according to prior instruction or with the consent of the Customer.
(4) The Contractor shall not be liable if the data subject’s request is not responded to, not responded to correctly or not responded to in a timely manner by the Customer or its clients acting as Data Controllers.
11. Monitoring and Reviewing
(1) The Contractor shall review the internal processes at regular intervals and consents to the Customer being entitled to regularly review compliance with the regulations on data protection and data security as well as the contractual agreements to a reasonable and necessary extent, prior to the beginning of processing and during the term of the Agreement.
(2) The Contractor will cooperate in these reviews and provide support to the extent necessary. The result shall be documented.
(3) If reviews should be necessary in individual cases, these shall be carried out during normal business hours, upon reasonable advance notice and without disruption to business operations. The Contractor is permitted to make this dependent on the signing of a confidentiality agreement regarding the data of other clients and the established technical and organisational measures. The Customer consents to the appointment of an independent external auditor by the Contractor insofar as the Contractor provides a copy of the audit report upon request of the Customer.
(4) If a data protection authority or another sovereign supervisory authority carries out a review, the signing of a confidentiality statement is not necessary if this supervisory authority is subject to professional or statutory confidentiality under which a violation is subject to criminal penalties under the Swiss Criminal Code (StGB).
(5) The Customer and the Contractor shall cooperate upon request with the data protection supervisory authority in the performance of its tasks.
12. Obligations of the Contractor after Termination of the Agreement
(1) After completion of the contractual work or at any time upon request of the Customer, the Contractor shall deliver all Data and data inventories being in its possession that are related to the contractual relationship to the Customer or delete or destroy them according to data protection principles, or have them destroyed (insofar as no statutory retention obligation opposes this action). The same holds true for data backups, test and discarded material.
(2) Upon request of the Customer, the Contractor can provide proof of proper deletion of Data still existing. Documentation to be discarded shall be destroyed using a document shredder. Data carriers to be discarded shall be destroyed according to their security classification. The deletion or destruction may be confirmed to the Customer in writing or in a documented electronic format upon request, specifying the date.
(3) The Customer has the right to check that the return and deletion of the Data at the Contractor is complete and in conformity with the contract.
(4) The Contractor has a reasonable claim to remuneration vis-à-vis the Customer for the aforementioned transfer, deletion, or destruction. The Contractor’s customary hourly rates will apply.
13. Liability in case of Breach of this Agreement
(1) The Customer and the Contractor shall be liable for compensation for damage that a data subject suffers due to data processing or use within the scope of this Agreement that is not permitted or incorrect according to the data protection laws vis-à-vis this data subject as joint and several debtors insofar as the applicable laws and regulations on data protection so provide.
(2) Unless the Contractor is not responsible or not fully responsible for the event causing the damage, the Contractor shall be liable to the Customer, subject to separately agreed liability regulations in the individual contracts concluded between the Parties that may include data processing, to a maximum scope of 10% of the effectively paid remuneration for the service causing the damage for the past 12 months, but no more than an amount totalling CHF 50,000.00 for direct damage arising from breaches of its data protection obligations arising from this Agreement.
(3) Any limitations on liability between the Customer and its clients as Data Controllers shall also apply to the benefit of the Contractor so that the Contractor is not obligated to indemnify the Customer for amounts that the Customer is not required to pay due to such limitations of liability.
(4) Any further liability is excluded in all other respects, to the extent permissible by law. The liability regulations agreed upon in the individual contracts concluded between the Parties shall apply to other damage not caused by a breach of data protection obligations under this Agreement.
14. Miscellaneous
(1) Agreements on the technical and organisational measures as well as monitoring and auditing documentation shall be retained by both Parties to the Agreement for their applicability period and subsequently for three full calendar years.
(2) The Contractor retains the right to amend this Agreement for legitimate reasons. Amendments shall be communicated to the Customer within the reasonable period in writing or in another way. If the Customer does not exercise its right of extraordinary termination within one month after the date of notification, the amendments shall be deemed accepted.
(3) As a principle, amendments or supplements to this Agreement as well as ancillary agreements must be in writing or in a documented electronic format. An express notice is required that an amendment, a supplement, or an ancillary agreement to these terms is involved. This shall also apply to the waiving of this written form requirement. Unilateral amendments and supplements to this Agreement by the Contractor are excluded from this formal requirement.
(4) If Customer’s assets or the Customer’s Data to be processed at the Contractor become endangered by third-party measures (for instance by attachment or seizure), by an insolvency or composition proceeding or by other events, the Contractor shall immediately notify the Customer unless the Contractor is prohibited from doing so by order of a court or government agency. The Contractor shall immediately notify all competent authorities in this context that the responsibility for and ownership of the Data rest exclusively with the Customer or its clients as Data Controllers.
(5) The defence of a right of retention shall be excluded with respect to the Data processed on behalf of the Customer and the related data carriers.
(6) In the event that individual provisions of this Agreement prove to be invalid or null and void, this will not render the remaining provisions invalid or null and void. Instead, they will be replaced by clauses that most closely reflect the economic purpose of the Agreement. The same will apply in the event of a gap or omission.
(7) In case of any objections with regard to the data processing, regulations on data protection in this Agreement shall take precedence over the regulations in the individual contracts concluded between the Parties.
(8) All disputes arising out of or in connection with this Agreement shall be referred exclusively to the courts of the Contractor’s registered office. However, the Contractor is authorised to also bring a dispute before the court of competent jurisdiction for the registered office of the Customer.
(9) This Agreement is governed by Swiss law to the exclusion of the conflict of law rules.
Appendices:
List “Other processors”
List “Technical and Organisational Measures”