Controller to Processor Agreement
(Data Processing Agreement)
This agreement is entered on Effective Date into by and between
HORISEN AG, a company organised and existing under the laws of Switzerland, having its registered office at Hauptstrasse 65, 9400 Rorschach, Switzerland,
hereinafter referred to as “DATA PROCESSOR”
OUR CUSTOMER, hereinafter referred to as “DATA CONTROLLER”.
Both hereinafter referred to as the “Parties”.
The following terms are defined in addition to the definitions of the Agreement, and those terms shall have the meaning given to them under GDPR, and particularly:
Data Controllermeans an entity (legal person under this agreement) which determines the purposes and means of the processing of personal data;
Data Processormeans an entity (legal person under this agreement) which processes personal data on behalf of the controller;
Datameans any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processingmeans any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Personal Data Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Applicable Law(s)in this Agreement means: each legislation applicable to each party hereto (including regulation and Data Protection Legislation for the avoidance of any doubt);
Party(ies)means the person signing this Agreement;
Sub-Contractorscompanies currently engaged by DATA PROCESSOR which are listed at https://www.horisen.com/en/sub-contractors;
Agreementmeans this document including its Schedules;
HORISEN Groupmeans an economic entity formed of a set of companies which are listed at https://www.horisen.com/en/horisen-group.
DATA CONTROLLER and DATA PROCESSOR signed a Service Agreement (“Main Agreement”) pursuant to which the DATA PROCESSOR must perform Services as may be ordered by DATA CONTROLLER.
In order to fulfill the requirements of the Data Protection Legislation pertaining to the Main Agreement, the Parties now wish to additionally enter into this Controller-to-Processor agreement (“Agreement”).
The construction of the capitalized terms used in this Agreement are to be primarily construed as defined in the Main Agreement and if not capitalized herein or not defined in the Main Agreement or in this Agreement, with the meaning that could be reasonably attributed to those terms by the Parties.
The DATA CONTROLLER processes its Personal Data as well as Personal Data of other entities of the DATA CONTROLLER group of companies.
The DATA CONTROLLER wishes to outsource to the DATA PROCESSOR certain processing procedures with respect to such Personal Data and the DATA PROCESSOR is willing to supply such processing services to the DATA CONTROLLER on the terms and conditions contained in this Agreement.
The signature of this Agreement does not create any obligation to transfer any processing activity from the DATA CONTROLLER or any DATA CONTROLLER Company to the DATA PROCESSOR. The signature of any Order pursuant to the Main Agreement may trigger the processing of Personal Data by DATA PROCESSOR in which case such activities shall be governed by this Agreement and the applicable terms and conditions of the Main Agreement.
This Agreement is incorporated into the Main Agreement and the Main Agreement shall fully apply to and prevail over this Agreement unless a term or condition of this Agreement expressly deviates from the Main Agreement in which case such deviating term or condition shall apply for this Agreement only.
NOW IT IS AGREED as follows
For the avoidance of any doubt, the recitals of this Agreement are part of this Agreement.
Any breach of this Agreement by DATA PROCESSOR shall be construed as a material breach of the Main Agreement, and liability (if any) of the DATA PROCESSOR shall be governed by the terms and conditions of the Main Agreement.
The DATA CONTROLLER and the DATA PROCESSOR each must comply at all times with applicable Laws and the provisions of this Agreement.
Purpose of the Personal Data Processing
Obligations of the DATA CONTROLLER
Obligations of the DATA PROCESSOR
Data Security Breaches and Reporting Procedures
Retention Period and Liquidation of Personal Data
Monitoring and Audit Rights of the DATA PROCESSOR by DATA CONTROLLER
Changes to Applicable Law
1.1 The purposes for which the Personal Data shall be processed is for providing services to DATA CONTROLLER, related to horisen.pro platform including all applications and services, which are determined by Main Agreement.
2.1 The DATA CONTROLLER shall transfer to the DATA PROCESSOR only Personal Data obtained in compliance with the relevant provisions of the applicable Data Protection Legislation for the purposes stated in this Agreement.
2.2 The DATA CONTROLLER shall keep up to date and correct all Personal Data transferred to the DATA PROCESSOR whenever required in particular as set out by the relevant provisions of the applicable Data Protection Legislation.
2.3 The DATA CONTROLLER is solely obliged to provide data subjects with all information and explanations as required under applicable Laws. As between DATA PROCESSOR and DATA CONTROLLER, the DATA CONTROLLER is also solely responsible for dealing with data subjects in relation to their rights to access their respective data in accordance with applicable laws.
3.1 The DATA PROCESSOR shall process the Personal Data on behalf of the DATA CONTROLLER pursuant to the written instructions of the DATA CONTROLLER in accordance with applicable Laws and the terms and conditions set forth in the Agreement
3.2 The DATA PROCESSOR shall correct, modify, block or erase (as instructed by the DATA CONTROLLER) any Personal Data processed by DATA PROCESSOR in case it is not possible for the DATA CONTROLLER to do so.
3.3 The DATA PROCESSOR warrants and represents that it has implemented (and shall maintain during the term of this Agreement and as long as required by Laws) the technical and organizational security measures for the protection of Personal Data before processing the Personal Data which are transferred, and additional security measures as mutually agreed by the DATA PROCESSOR and the DATA CONTROLLER in an Order. DATA PROCESSOR has been adopting security measures including encryption, pseudonymization, resilience of processing systems and backing up personal data in order to be able to reinstate the system. All of organizational and technical measures are applied in accordance with ISO 27001 standard and GDPR requirements.
3.4 The DATA PROCESSOR shall not less than once per calendar year and in any cases as required from the DATA CONTROLLER from time to time, test the measures and promptly communicate the result of such testing to the DATA CONTROLLER.
3.5 In order to ensure compliance with such security measures, the DATA PROCESSOR shall permit the DATA CONTROLLER to conduct periodic inspections of its premises and the implemented security measures during usual business hours. The DATA CONTROLLER shall provide the DATA PROCESSOR with reasonable (but in no event less than thirty  days) advance notice of each inspection.
3.6 The DATA PROCESSOR must ensure that its personnel engaged in the processing of Personal Data comply and shall comply at all times with the data secrecy requirements.
3.7 The DATA PROCESSOR shall only allow access to the Personal Data to its staff or consultants where and to the extent that such access is required for the performance of the Services and subject to such staff and consultants having entered into an adequate non-disclosure agreement.
3.8 In the event that the DATA PROCESSOR shall discover that the DATA CONTROLLER is in breach of any of its obligations provided by the relevant Data Protection Legislation, the DATA PROCESSOR shall without delay notify the DATA CONTROLLER of this fact and suspend the performance of the suspected infringing processing until such time as the breach is remedied.
3.9 The DATA PROCESSOR undertakes to inform the DATA CONTROLLER without delay about any complaints, requests or other communications received by it from data subjects, data protection regulator(s) or third parties related to the processing of Personal Data by the DATA PROCESSOR and/or the DATA CONTROLLER.
3.10 The DATA PROCESSOR must comply with this Agreement at all times.
4.1 The DATA PROCESSOR is under a strict obligation to immediately notify the DATA CONTROLLER of any Data Security Breach and no later than within 24 hours of the DATA PROCESSOR becoming aware of the breach.
4.2 The DATA PROCESSOR agrees to provide any reasonable assistance as is required by the DATA CONTROLLER or the Data Protection Authority to facilitate the handling of any Data Security breach in an expeditious and compliant manner.
5.1 The Personal Data shall be retained by the DATA PROCESSOR in order to perform the Services for the time periods as defined by DATA CONTROLLER and in any case no longer than what is strictly necessary for the DATA PROCESSOR to (i) process the Personal Data in line with this Agreement or (ii) as the case may be, to meet any of its legal obligations (in particular statutory archival and retention obligations).
5.2 Subject to any legal obligations or request from DATA CONTROLLER to archive or retain Personal Data, at the request of the DATA CONTROLLER, the DATA PROCESSOR shall carry out the liquidation of any or all the Personal Data without undue delay after all the specific purposes for which the Personal Data were processed cease to exist or upon receipt of a written request of the DATA CONTROLLER.
5.3 On the instructions of the DATA CONTROLLER, the DATA PROCESSOR shall ensure that the PERSONAL DATA processed under this Agreement are returned to the DATA CONTROLLER or destroyed in accordance with the DATA CONTROLLER’S instructions. If those instructions are not in contradiction with an Applicable Laws. The DATA CONTROLLER reserves the right to issue instructions to the DATA PROCESSOR under this Clause at any time. In case, that instructions are not in accordance with applicable laws, applicable laws shall prevail.
5.4 Following the deletion of Personal Data under this clause, the DATA PROCESSOR shall notify the DATA CONTROLLER that the Personal Data in question has been deleted. Where applicable, the DATA PROCESSOR shall also provide confirmation that the Personal Data has been destroyed in accordance with any instructions issued by the DATA CONTROLLER, if those instructions are not in contradiction with an Applicable Laws. In case, that instructions are not in accordance with applicable laws, applicable laws shall prevail.
6.1 The DATA PROCESSOR agrees to maintain records of all Personal Data processed under the Agreement and its processing activities. The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this clause at any time, with reasonable (but in no event less than 30 days) advance notice of each inspection.
6.2 If DATA SUBJECT in any case requires information from DATA CONTROLER on subject of what type of that subject’s personal data is being processed under this agreement, and if DATA CONTROLER is not able to provide this type of information without DATA PROCESSOR’s help, DATA PROCESSOR is obliged to provide any reasonable help.
7.1 In order to provide services, to the standard required by the client (DATA CONTROLLER) as agreed in the main agreement, DATA PROCESSOR might engage companies from HORISEN GROUP. All members of HORISEN GROUP have the same information security policies and procedures established in accordance with ISO 27001 standard and data protection policies and procedures in accordance with GDPR requirements. By signing this agreement DATA CONTROLLER agrees that other members of HORISEN GROUP are considered as SUB-PROCESSORS.
7.2 By signing this agreement DATA CONTROLLER agrees that DATA PROCESSOR may at any time engage another processor, which should be considered as a SUB-PROCESSOR, but in that case DATA CONTROLLER have to be informed by DATA PROCESSOR about addition or replacement of SUB-PROCESSORS. DATA PROCESSOR should make sure there is signed Data Processing Agreement, between DATA PROCESSOR and SUB-PROCESSOR, in place and that any engaged SUB-PROCESSOR is GDPR compliant. DATA CONTROLLER retains opportunity to object to these changes. DATA PROCESSOR reserves the right to engage telecom provider or third-party telecom supplier for providing services that require their engagement (e.g. SMS or voice traffic). SUB-CONTRACTORS are also considered to be engaged as SUB-PROCESSORS by DATA PROCESSOR.
7.3 DATA PROCESSOR shall store personal data originating from and sent to a country located in the EU/EEA or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross-border transfer of personal data from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless it is required in writing by DATA CONTROLLER.
8.1 In addition to the monitoring and/or audit rights set out in the Agreement, the DATA CONTROLLER is entitled to proceed to any and all verifications (including on the DATA PROCESSOR’s site(s)) during usual business hours provided the DATA CONTROLLER gives reasonable (but in any event no less than 30 days’) prior written notice to the DATA PROCESSOR.
8.2 The DATA PROCESSOR shall duly and promptly cooperate with the DATA CONTROLLER, upon request of the DATA CONTROLLER, by giving access to all the documents, infrastructures, premises, information and/or staff reasonably required by the DATA CONTROLLER to ensure such Data Processing is compliant with this Agreement.
8.3 The costs and consequences of the monitoring and audits shall be borne by the DATA CONTROLLER including support costs.
9.1 Any notice or other communication which is given under this Agreement to a Party will be addressed and sent to that Party at the address as specified in this Agreement, or at any other address as otherwise notified to the other Party (including for the avoidance of doubt in a Statement of Work).
9.2 For data privacy and security related questions and concerns DATA CONTROLLER should contact DATA PROCESSORS’s DPO.
9.3 The specified address, telephone number and email address for DATA PROCESSOR for the purposes of this Clause are as followed:
10.1 In case the applicable data protection and applicable laws change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties will amend the Agreement. In such circumstances, the DATA PROCESSOR agrees to implement any changes to its processing activities as are necessary to comply with the amended terms of the Agreement.
11.1 This Agreement is entered into as of its Effective Date and for the whole term of the Agreement. For the avoidance of any doubt, it will follow the term of the Agreement and shall be automatically terminated whenever the Agreement is terminated or expired. Termination or expiry of this Agreement shall not terminate the Agreement;
11.2 In addition, the DATA CONTROLLER may terminate this Agreement with a 30 days prior notice to the DATA PROCESSOR without any termination fees or penalty;
11.3 This Agreement constitute the entire agreement between the Parties with respect to the subject matter contained herein;
11.4 This Agreement may be altered or supplemented only in writing and provided any such amendment is signed by the duly authorized representatives of both Parties;
11.5 If any provision of this Agreement is held invalid, illegal, or unenforceable for any reason, such provision shall be severed, and the remainder of the provisions hereof shall continue in full force and effect as if this Agreement has been executed with the invalid, illegal or unenforceable provision eliminated and the Parties shall rapidly discuss and amend the Agreement with a valid, legal and enforceable provision;
11.6 DATA CONTROLLER may modify this Agreement at all times upon written notice to DATA PROCESSOR and such changes shall be effective and applicable to both Parties as indicated in such written notice.
11.7 This Agreement is governed by the laws of Switzerland and GDPR, without regard to their conflicts of law principles.
Last update: 23rd of May, 2018.