0. introduction

between the customer as data controller (“data controller”) and andrion ag, Elias-Canetti-Strasse 2, 8050 Zurich as data processor (“data processor”)


1. Scope of application

a) The following provisions apply to the processing of personal data by and on behalf of the data controller.


2. Preamble

a) This data processing agreement governs the parties’ obligations to protect the personal data they process.


b) The data processor will not process personal data for the data controller for any purpose other than to fulfill the existing contractual obligations between the parties.


c) The data controller remains exclusively responsible for the relevant personal data.


3. Data processing

3.1 Purpose

a) The data processor is an IT service provider and administers the data controller’s IT systems. In order to fulfill these tasks, the data processor also processes personal data on the data controller’s behalf.


b) Such processing shall only take upon written orders of the data controller. Such an order may be in the form of a service contract, a one-time order, or the like.


3.2 Duration

a) This agreement is valid as long as the processor processes personal data on the data controller’s behalf.


3.3 Affected data categories and persons

a) The data controller uses the infrastructure to process personal data listed in its list of procedures or its register of data collections, attached to the individual contract.


b) The categories of data subjects are listed in the appendix to the individual contract.


c) If there is no appendix to the individual contract, the data processor will not process any personal data even if ordered.


4. Rights and responsibilities

4.1 Compliance with data protection laws and regulations

a) The data processor is required to comply with data protection laws and regulations applicable to the data processor and the data controller. The data processor must ensure that its actions or failure to act do not lead to a situation in which the data controller is in violation of any data protection laws and regulations.


4.2 Obligation to follow instructions

a) The data processor will process and transmit the personal data only in accordance with the data controller’s instructions. In the absence of such instructions, the data processor will process personal data exclusively in accordance with this agreement and the detailed security concept listing the technical and organizational measures to be used.


b) The data controller solely decides whether to delete and/or correct personal data and/or to provide information to data subjects.


c) If personal data is processed on the basis of statutory provisions and contrary to the instructions of the data controller, the data processor is obliged to inform the data controller in advance about such processing and its legal basis, unless this is in conflict with an important public interest.


4.3 Confidential information and security

a) The data processor shall ensure that the persons authorized to process personal data (e.g. employees, subcontractors, etc.) have contractually agreed to maintain its confidentiality and security or are subject to corresponding statutory confidentiality and security obligations. For standard third-party products, the customer’s specific privacy policy applies directly between the customer and the third-party manufacturer.


b) Personal data is stored and treated as confidential information. However, as part of the brokerage and management of standard or other third-party products, personal data of the customer or its employees must be shared with third-party manufacturers. The processing by such third-party manufacturers is regulated by their separate data protection policies. The customer and/or its employees expressly authorize the data processor to submit declarations of consent to third-party data protection policies on behalf of the customer or its employees.


4.4 Technical and organizational measures

a) The processor shall take the legally required technical and organizational measures (TOM) to ensure the security of personal data and its processing.


b) The technical and organizational measures must take into account the current state of technology, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the differentiated likelihood and severity of the risk to the rights and freedoms of natural persons in order to ensure an adequate level of protection.


c) Where appropriate, the measures to be taken shall include:

  • Pseudonymization and encryption of personal data
  • Ability to ensure the persistent confidentiality, integrity, availability, and resilience of the systems and services related to the processing
  • Ability to restore the availability of personal information and access to it quickly in the event of a physical or technical incident
  • A procedure for periodically reviewing, analyzing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing


d) The data processor shall, upon request, provide the data controller with a detailed security concept with the technical and organizational measures used and likewise use said measures to ensure compliance with this agreement.


4.5 Sub-processors (subcontractors)


a) The data controller hereby grants to the data processor general permission to hire subcontractors to process the data it controls. The processor shall ensure that each contract with a subcontractor ensures compliance with this agreement and the rights and obligations herein.


b) In the case of a subcontractor from a third country, the processor shall additionally ensure that an adequate level of data protection exists between Switzerland and the EU by concluding EU standard clauses or by having a Swiss-US Privacy Shield certification.


c) If the sub-processor does not comply with its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that sub-processor.


4.6 Obligations to report and provide support in the event of data breaches

a) In the event of the occurrence or suspected violation of data protection and in particular in the event of data loss or other irregularities in the processing of personal data, the data processor must inform the data controller immediately.


b) Notice of a data breach must contain this information:

  • Description of the type of data protection violation
  • Categories and approximate number of persons affected
  • Categories and approximate number of records affected
  • Contact details for a contact at the data processor who can provide further information
  • Description of the likely effects of the data breach
  • Description of the measures already implemented or yet to be implemented


c) The data processor shall assist the data controller in handling data breaches and provide it with all necessary information.


4.7 Duty to provide assistance in handling data subject requests

a) The data controller is responsible for handling data subject requests that fall within their rights. The data processor will immediately forward any inquiries to the data processor.


b) The data processor shall provide support in handling such data subject inquiries at no charge to the data controller.


c) The data processor shall, in particular, adopt appropriate technical and organizational measures that will enable the data controller to obtain the necessary information easily, quickly, and as independently as possible, and in a common format, as well as to modify and delete personal data.


d) The data processor will always follow data controller instructions to correct, delete, and/or update personal data.


4.8 Further support obligations

a) Taking into account the nature of the processing and the information available to it, the data processor shall assist the data controller in fulfilling its data protection obligations, including the implementation of technical and organizational measures, reporting obligations, and any data protection impact assessments required.


4.9 Return and deletion after completing the processing

a) Once the processing is completed, the data processor must irrevocably delete or return all personal data, including all copies, as directed by the data controller, provided that this does not conflict with any of its legal obligations.


4.10 Tolerance of data controller monitoring

a) The data processor shall provide the data controller with all necessary information to demonstrate compliance with the obligations set forth in this agreement and to carry out checks, including inspections, of the data controller or any of its subcontractors. The customer shall bear the internal and external costs incurred by the data processor to compile the information and participate in such audits.


4.11 Additional disclosure obligations

a) The data processor shall notify the data controller without undue delay if there is reason to believe that an instruction violates applicable data protection regulations.


5. Amendments

a) This data processing agreement is valid together with the individual contract and the general terms and conditions of Andrion AG in the version published online.


b) Andrion shall be entitled to adjust this agreement and its services at any time, insofar as Andrion considers this to be sensible for technical reasons or due to developments on the market, supplier conditions, or regulatory conditions and therefore in the customer’s interest in adequate performance and service.


6. Final provisions

a) Should any provision of this agreement be or become ineffective, this shall not affect the validity of the remaining agreement. The ineffective provision shall be replaced by an effective provision that comes as close as possible to the original. The same applies to any essential provisions unintentionally omitted.


b) The definitions of terms used shall be construed in accordance with this agreement. If there are ambiguities regarding a definition, the definitions of the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DSG) apply mutatis mutandis, depending on the scope.


c) The undersigned confirms that he/she is duly authorized to sign on behalf of the party represented.


d) This agreement must be interpreted in accordance with Swiss substantive law, taking into account the case law under the GDPR.


e) The place of jurisdiction for any disputes is, at the discretion of the data controller, the registered office of either party.