1 PREAMBLE
1.1 The Customer is responsible for the data processing executed through Phonemos (GDPR: "data controller"). All content uploaded and stored in a Phonemos instance is the property of the customer.
1.2 The provider ensures GDPR compliance as a data processor.
1.3 The parties shall ensure that they comply with all requirements of data protection law. In particular, the Customer shall ensure that it obtains all necessary consents for data processing from persons whose personal data is processed. In the event of non-compliance, he shall indemnify the Provider in the event of claims by third parties.
1.4 The Provider is obliged to
inform the Customer as soon as possible during the term of the contract, if known, of any access to personal data by public authorities or unauthorized third parties, and
after completion of the provision of the Processing Services, to either delete or return all data at the Customer's option.
1.5 Mandatory law which conflicts with the aforementioned obligations is reserved.
1.6 Since it cannot be ruled out that the Provider will have access to personal data of the Customer or third parties, the Parties agree on Section 10.7 on Data Processing by Order.
1.7 As part of the use of linkyard's software in accordance with the terms of service, SLA and signed offer of linkyard ("Agreement"), it is necessary for the Processor to store and process data collected by the Client in the course of using the Processor's software services. It cannot be ruled out that these data are personal data within the meaning of Art. 4 No. 1 GDPR. This Section 10.7 applies exclusively to this data (hereinafter "Client Data").
2 NATURE, SCOPE, PURPOSE AND DURATION OF THE PROCESSING OF THE ORDER
2.1 This section specifies the rights and obligations of the parties under data protection law in connection with the Processor's handling of the Client Data in performance of the contract.
2.2 The Processor shall process the Client Data on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (commissioned processing). The Client remains the data controller in the sense of data protection law pursuant to Art. 4 No. 7 GDPR.
2.3 The processing of the Client Data within the scope of commissioned data processing shall be carried out in accordance with the specifications on the type, scope and purpose of the data processing contained in Section 15. It refers to the type of client data specified in Section 15, the purpose of the data processing and the group of data subjects specified therein.
2.4 The processing of the client data takes place in the territory of Switzerland or in the European Union. The adequate level of protection in Switzerland has been established by an adequacy decision of the EU Commission (Art. 45 (3) GDPR). Any further relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
3 POWERS OF INSTRUCTION OF THE PRINCIPAL
3.1 The handling of the Principal Data by the Processor shall take place exclusively within the framework of the agreements made and in accordance with the documented instructions of the Principal pursuant to Art. 28 (3) sentence 2 lit. a GDPR, unless the Processor is obliged to process under Union law or the law of the Member States to which it is subject. In such a case, the processor shall notify the controller of these legal requirements prior to the processing, unless the law in question prohibits such notification due to an important public interest.
The Principal reserves a comprehensive right to issue instructions on the type, scope, means and purposes of the data processing within the scope of the job description agreed in this Agreement, which it may concretise by means of individual instructions. The Principal shall immediately confirm verbal instructions in writing or by e-mail (in text form). If the Client issues individual instructions regarding the handling of Client data which go beyond the contractually agreed scope of services, the costs incurred as a result shall be borne by the Client.
3.2 Changes to the object of processing and procedural changes shall be jointly agreed and documented. The Processor may only provide information to third parties or the Data Subject with the prior written consent of the Client. The Processor shall not be entitled to disclose the Client Data to third parties and shall not use the data for any other purposes, in particular for its own purposes. The Processor shall not be under any obligation to check the Client's instructions in terms of (data protection) law. The Processor shall inform the Principal without undue delay in accordance with Article 28 (3) sentence 3 of the GDPR if, in its opinion, an instruction issued by the Principal violates statutory provisions. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Controller with the Principal.
4 OBLIGATIONS OF THE PRINCIPAL
4.1 The principal is solely responsible for the lawfulness of the data processing by the processor as well as for the protection of the rights of the data subjects and is thus the "controller" within the meaning of Art. 4 No. 7 GDPR.
4.2 The Principal shall be the holder of all rights, if any, concerning the Client Data.
4.3 The Principal shall inform the Processor without undue delay if it discovers errors or irregularities in connection with the processing of Principal Data by the Processor.
4.4 If third parties assert claims against the Processor due to the processing of Client Data, the Client shall indemnify the Processor against all such claims upon first request.
5 OBLIGATIONS OF THE PROCESSOR
5.1 The Processor shall ensure and regularly monitor that the processing of the Client Data within the scope of the provision of services under the Agreement in its area of responsibility, which includes the sub-processors pursuant to the sub-processor policy, is carried out in accordance with the provisions of this Agreement.
5.2 The Processor shall be obliged to appoint a competent and reliable data protection officer who can carry out his activities in accordance with Articles 37, 38 and 39 of the GDPR, if and as long as the legal requirements for an obligation to appoint are met. The contact details of the data protection officer shall be provided to the Client upon request.
5.3 The Processor is obliged to regularly monitor the internal processes as well as the technical and organisational measures in order to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
5.4 The Processor undertakes to maintain confidentiality when processing the Client's personal data in accordance with the contract. This obligation shall continue to exist even after termination of the contract.
5.5 Pursuant to Article 28 (3) sentence 2 lit. b of the GDPR, the Processor shall impose a written obligation of data secrecy on all persons who have access to the Client's personal data in accordance with the order and shall inform them of the special data protection obligations resulting from this order and of the existing obligation to follow instructions or to use the data for a specific purpose.
The Processor may not make copies or duplicates of the Client Data within the scope of the commissioned processing without the Client's prior consent. However, copies shall be exempt from this insofar as they are necessary to ensure proper data processing and the proper provision of the services in accordance with the main contract (including data backup), as well as copies that are necessary to comply with statutory retention obligations.
5.6 The Processor is obliged to support the Client in the fulfilment of its legal obligations within the scope of what is reasonable and necessary and against reimbursement of the expenses and costs incurred by the Processor as a result. This includes compliance with technical and organisational measures, reporting data breaches to the supervisory authority and data subjects, conducting data protection impact assessments and consulting the competent supervisory authority in advance.
5.7 The Processor is obliged to provide the Principal with all necessary information, including certifications as well as audit and inspection results, which serve to prove compliance with the obligations set out in this contract.
5.8 The Processor shall be obliged to inform the Principal without delay about control actions and measures of the supervisory authority insofar as they relate to this contract. This shall also apply to the extent that a competent authority investigates the Processor in the context of administrative offence or criminal proceedings with regard to the processing of personal data in the course of the commissioned processing.
6 TECHNICAL AND ORGANISATIONAL MEASURES
6.1 The Processor shall implement the technical and organisational measures listed in Technical and Organisational Measures (Annex to the DPA) prior to the start of the processing of the Principal Data and maintain them during the Contract.
6.2 As the technical and organisational measures are subject to technical progress and technological development, the Processor shall be permitted to implement alternative and adequate measures, provided that in doing so the security level of the measures set out in Section 16 is not undercut. The Processor shall document such changes. Significant changes to the measures shall require the prior consent of the Client and shall be documented by the Processor and made available to the Client upon request.
7 VIOLATIONS OF THE PROCESSOR TO BE COMMUNICATED
7.1 The Processor shall inform the Client in a timely manner if it discovers that it or an employee has violated data protection regulations or specifications from this Section 10.7 when processing Client Data, provided that there is a risk of violations of the protection of the Client's personal data within the meaning of Article 4 No. 12 of the GDPR.
7.2 The Processor shall, to the extent reasonable and necessary, assist the Principal in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. These include, but are not limited to:
7.2.a ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential security breach and allow for the immediate detection of relevant breach events
7.2.b the obligation to notify personal data breaches to the contracting authority without undue delay
7.2.c the obligation to assist the contracting authority in its duty to inform the data subject and, in this context, to provide it with all relevant information without undue delay
7.2.d to assist the Principal in carrying out its data protection impact assessment
7.2.e assisting the Principal in the context of prior consultations with the supervisory authority
7.2.f For support services that are not included in the service specifications or are not due to misconduct of the Processor, the Processor may claim a remuneration
8 CONTROL RIGHTS OF THE PRINCIPAL
8.1 The Client shall convince itself at its own expense of the technical and organisational measures of the Processor in accordance with Section 16 prior to the commencement of data processing and regularly thereafter and document the result. For this purpose, it may obtain information from the Processor itself, obtain a certificate from an expert or personally inspect the Processor's business and trade secrets after making an appointment in good time without disrupting operations and subject to strict confidentiality. The Processor undertakes to support the Client's inspections in an appropriate manner and to tolerate all necessary inspection measures. The Processor may charge for the inspection related measures if they exceed the provisioning of existing, relevant documentation.
8.2 The Processor undertakes to provide the Principal, upon written request and within a reasonable period of time, with all information required to carry out a control.
8.3 The Processor shall be entitled, at its own discretion, taking into account the Client's legal obligations, not to disclose information that is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual regulations by disclosing it. The Principal shall not be entitled to have access to data or information on other customers of the Processor, to information regarding costs, to quality audit and contract management reports and to any other confidential data of the Processor which is not directly relevant for the agreed control purposes.
8.4 The Client shall inform the Processor in good time (as a rule at least two weeks in advance) of all circumstances related to the performance of the control. As a rule, the Client may carry out one inspection per calendar year. This shall be without prejudice to the right of the Client to carry out further inspections in the event of special occurrences.
8.5 If the Principal commissions a third party to carry out the inspection, the Principal shall oblige the third party in writing in the same way as the Principal is obliged to the Processor on the basis of this Section 10.7.7. In addition, the Client shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the Processor, the Client shall immediately submit to the Processor the commitment agreements with the third party. The Client may not commission a competitor of the Processor with the inspection.
8.6 At the choice of the Processor, proof of compliance with the technical and organisational measures pursuant to Section 16 may also be provided instead of an on-site inspection by submitting a suitable, up-to-date audit certificate, reports or report extracts from independent bodies (e.g. auditor, audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g. in accordance with BSI-Grundschutz - ("audit report"), if the audit report reasonably enables the Client to satisfy itself of compliance with the technical and organisational measures in accordance with Section 16.
9 SUBCONTRACTING RELATIONS
9.1 The Processor may establish subcontracting relationships with regard to the processing of Client Data with the prior consent of the Client. Such prior consent may only be refused by the Client for good cause to be proven to the Processor. Upon request, the Processor shall provide the Client with a current overview of the sub-processors engaged. In the event of written authorisation, the Processor shall always inform the Client of any intended change with regard to the involvement or replacement of other Processors.
9.2 The sub-processors named in the shall be deemed to have already been approved by the Principal.
In the event of the use of a sub-processor, the processor shall impose on the sub-processor, by way of contract or other legal instrument under Union or Member State law, the same data protection obligations as those set out in that contract. Where a sub-processor fails to comply with the obligations laid down in this contract or infringes data protection law, the processor shall be liable to the contracting authority for compliance with the obligations of the sub-processor.
9.3 Services which the Processor uses from third parties as an ancillary service to support the execution of the order are not to be understood as subcontracting relationships within the meaning of this provision and therefore do not require the Principal's consent. These include, in particular, telecommunications services, security services, maintenance and user services, cleaners, auditors and the disposal of data carriers. However, in order to ensure the protection and security of the Client's data, the Processor is also obliged to conclude appropriate and legally compliant contractual agreements and to take control measures in the case of ancillary services contracted out to third parties.
10 RIGHTS OF THE AFFECTED
10.1 The rights of the data subjects affected by the data processing shall be asserted against the Principal.
Insofar as a data subject should contact the Processor directly in order to exercise his or her rights under Articles 12 to 22 of the GDPR in respect of the data relating to him or her, the Processor shall immediately refer the data subject to the Principal.
10.2 In the event that a data subject asserts his or her rights under Articles 12 to 22 of the GDPR, the Processor shall assist the Principal in fulfilling such claims to the extent reasonable and necessary for the Principal, unless the Principal can fulfil the claims without the assistance of the Processor. The Client shall reimburse the Processor for any additional expenses.
10.3 The Processor shall enable the Client to correct, delete or block Client Data or, at the Client's request, carry out the correction, blocking or deletion itself if and to the extent that this is impossible for the Client itself.
11 LIABILITY
11.1 The Principal and the Processor shall be jointly and severally liable for the compensation of damage suffered by a person due to unlawful or incorrect data processing within the scope of the contractual relationship.
11.2 The Client shall be solely responsible for compensation of damage suffered by a data subject due to inadmissible or incorrect processing of Client data within the scope of the commissioned processing in accordance with the applicable data protection law in the internal relationship with the Processor.
11.3 The Client undertakes to indemnify the Processor in the internal relationship from all claims of third parties as long as and insofar as it does not prove that the Processor has not complied with its obligations under the GDPR specifically affecting the Processor or has acted in non-compliance with a lawfully issued instruction of the Client or against a lawfully issued instruction.
11.4 If a data protection authority or a court imposes a fine on the Processor on the basis of a data processing by the Processor that is based on an instruction from the Principal, the Principal shall reimburse the Processor the relevant amount in full upon written notice within 30 days of the written notice.
11.5 The Principal shall reimburse the Processor for all costs resulting from the infringement for which the Processor is responsible in accordance with paragraphs 3 and 4, including the costs of legal proceedings.
11.6 Unlimited liability: The Processor shall be liable without limitation for intent and gross negligence, in the event of breach of a contractually granted guarantee and in accordance with the Product Liability Act. The Processor shall be liable for slight negligence in the event of damage to the life, body and health of persons. In all other respects, the following limited liability shall apply: In the event of slight negligence, the processor shall only be liable in the event of a breach of a material contractual obligation of the agreement, the fulfilment of which makes the proper performance of the agreement possible in the first place and on the observance of which the client may regularly rely (cardinal obligation). The liability for slight negligence is limited to the amount of the damages foreseeable at the time of the conclusion of the contract, the occurrence of which must typically be expected.
12 RETURN AND DELETION OF CLIENT DATA PROVIDED
12.1 The Processor shall return or delete all Client Data at the discretion of the Client after termination of the contractual provision of services (in particular in the event of termination or other termination of the agreement) and destroy existing copies, unless there is a legal obligation to store the data.
12.2 The Processor shall draw up a record of the deletion or destruction of Client Data, which shall be submitted to the Client upon request.
Documentation that serves as proof of the orderly and proper data processing or legal retention periods shall be kept by the Processor beyond the end of the contract in accordance with the respective retention periods.
12.3 The Parties undertake to keep confidential any facts, information and data, including related documents, which become known to them in connection with the contractual relationship and which are neither publicly known nor generally accessible ("Confidential Information"). Confidential Information shall also include analyses, summaries and extracts prepared on the basis of Confidential Data.
12.4 Each Party shall ensure that its personnel and third parties engaged by it (including their personnel) are required to maintain the confidentiality of Confidential Information entrusted to them or coming to their knowledge in the course of their work.
12.5 The disclosure of Confidential Information requires the prior written consent of the other party. However, the Client is permitted to disclose Confidential Information internally without the Provider's consent. The Provider is permitted to disclose Confidential Information internally within the group as well as to subcontractors approved by the Customer without the Customer's consent, provided that this is necessary for the performance of the service and the recipients have entered into corresponding confidentiality obligations in writing.
12.6 The confidentiality obligations shall continue to apply after termination of the contractual relationship or after performance of the agreed services.