DATA PROCESSING AGREEMENT (DPA)
This Agreement (hereinafter: DPA) specifies the obligations of the parties regarding the legal requirements of the Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR), insofar as the latter is applicable. In this respect, it supplements the mandate agreement or mandate agreements between Libera and the client.
This DPA shall apply only to the extent and insofar as the following requirements are met:
- The customer is either a data controller or a commissioned data processor within the scope of the FADP and/or the GDPR and
- the customer assigns Libera within the scope of the mandate agreement as commissioned data processor or subcontracted data processor for the processing of personal data or personal related data covered by the scope of application of the FADP and/or the GDPR (hereinafter: relevant data).
1. SUBJECT MATTER, DURATION AND TYPE OF PROCESSING
The subject matter, duration, type and purpose of the processing are set out in the mandate agreement. The categories of relevant data to be processed, the categories of data subjects and the Technical and Organisational Measures to be taken (hereinafter TOM) are listed either in the mandate agreement or in the annex to this DPA.
2. SCOPE AND RESPONSIBILITY
Libera processes the relevant data exclusively for the fulfillment of the contract or for the purposes agreed upon in the mandate agreement. The client is responsible for the legality of the data processing itself, including the permissibility of the assignment of the data processing to a commissioned data processor or subcontracted data processor.
The customer’s instructions are documented in this DPA and in the mandate agreement. The client has the right to provide Libera with further instructions regarding to the processing of the relevant data, at any time in writing. Libera will comply with these instructions insofar as they are within the scope of the contractually agreed services to be provided by Libera and are reasonably realizable by Libera. If such instructions lead to additional costs for Libera or a changed scope of services, the contractually agreed contract adjustment procedure shall apply. Libera shall inform the customer without delay if it believes that an instruction violates the FADP or the GDPR. Libera may in this case suspend the implementation of the instruction until it has been confirmed or amended by the customer. In the case of instructions from the customer in connection with granting access authorisations or the release of relevant data to the customer itself, the above does not apply, and Libera may at all times assume that these instructions are in compliance with the applicable laws. However Libera is entitled to demand corresponding written confirmations from the customer.
3. DUTIES OF LIBERA
Libera processes the relevant data exclusively in accordance with the provisions of the mandate agreement and this DPA. The fulfilment of legal, regulatory, or official obligations by Libera remains reserved.
Libera will take appropriate TOMs as defined in the Mandate Agreement and the Annex to this DPA to protect the relevant data. Libera may adapt the agreed TOMs at any time as long as it complies with the applicable data protection laws.
Libera shall maintain a register of data processing activities in relation to the relevant data. Libera shall at any time, upon request, provide the customer with access to parts of this register concerning Libera’s provision of services to the customer.
Libera ensures that all employees and other parties involved in the processing of the customer’s relevant data are prohibited from processing the relevant data outside the scope of the mandate agreement or this DPA. Furthermore Libera ensures that the persons authorised to process the relevant data have committed themselves to confidentiality and/or are subject to an appropriate legal obligation of confidentiality. The confidentiality obligation shall continue to exist after the termination of the mandate agreement.
Libera shall inform the client without delay if it becomes aware of any breaches of the protection of the relevant data at Libera or one of its subcontracted data processors (data breach). Libera shall inform the client in writing (e-mail is sufficient) of the nature and extent of the breach as well as possible remedial measures. In such a case, the parties shall consult and agree on measures to be taken without delay. The parties shall take the required measures to ensure the protection of the relevant data and to mitigate any possible adverse consequences for the persons affected.
Libera has appointed a responsible person to ensure compliance with data protection requirements. This person can be contacted for enquiries at datenschutz(at)libera.ch.
After expiration of the contract, Libera proceeds with the relevant data in accordance with the contractual provisions, returns it to the client, deletes it to the extent reasonable and technically possible, or archives the data in accordance with the statutory retention provisions. Libera or its subcontracted data processors use procedures established in the IT industry for the deletion of relevant data.
4. DUTIES AND OBLIGATIONS OF THE CUSTOMER
The customer shall independently take appropriate technical and organisational measures to protect the relevant data in his area of responsibility (e.g. on his own systems, buildings, applications/environments under his operational responsibility).
The customer informs Libera without delay if it becomes aware of any violations of data protection regulations in the provision of services by Libera.
The customer provides Libera with the contact details of the responsible person for data protection issues arising within the scope of the mandate agreement, as well as the data protection officer in cases where this is required in accordance with GDPR.
5. REQUESTS FROM AFFECTED PERSONS
If an affected person contacts Libera directly with requests for rectification, erasure, information, or other claims about relevant data, Libera will refer the affected person to the customer if an allocation to the customer is possible with the information provided by the affected person.
Libera commits itself, within the scope of its possibilities, to support the customer upon request and against compensation in the fulfilment of its obligations towards the affected person (mainly regarding the right to information, deletion requests, etc.). In addition, Libera offers the customer further support against separate fee, e.g. in connection with a data protection impact assessment, consultation with the supervisory authority, notifications to the supervisory authority, etc.
6. VERIFICATION OPTIONS AND AUDITS
Libera is obliged to provide the client, upon request, with information to document compliance with the obligations under this DPA.
Data protection audit rights of the client or its supervisory authorities must be carried out by a recognised audit body. In any case, the principle of proportionality must be observed in the context of such audits and the interests of Libera that are worthy of protection (in particular confidentiality) must be adequately taken into account. The client shall bear all costs of such audits (including proven internal costs of Libera incurred in participating in the audit).
If, after submission of evidence or in the course of an audit, breaches of this DPA or deficiencies in the implementation of the obligations of Libera are identified, Libera will implement suitable and reasonable corrective measures without delay and free of charge.
7. INVOLVEMENT OF SUBCONTRACTED DATA PROCESSORS
Libera is entitled to engage subcontracted data processors, provided that they are bound at least by the obligations arising from this DPA and the mandate agreement. Libera shall conclude suitable agreements with its subcontracted data processors for this purpose.
8. DISCLOSURE ABROAD
Libera takes fundamental care to process personal data only within Switzerland. Any disclosure of relevant data by Libera abroad or to an international organisation is only permitted if Libera complies with the above-mentioned data protection regulations. If, on the other hand, such disclosure of relevant data is requested by the customer or is made on the customer’s behalf, compliance with the relevant provisions shall be the sole responsibility of the customer.
9. FINAL PROVISIONS
In deviation from any written form requirements in the mandate agreement, the present DPA may also be agreed electronically between the parties.
The obligations under this DPA apply in addition to the obligations set out in the mandate agreement and do not restrict the latter. Regarding the TOM generically defined in an annex to this DPA, the provisions of the mandate agreement shall prevail in case of contradiction. In all other respects, the provisions of the mandate agreement shall continue to apply unchanged.
The present DPA is a translation of the German Version of “Auftragsdatenbearbeitungsvereinbarung (ADV)”. The German version of ADV shall be the binding version and shall be controlling on all questions or interpretations and performance. All translations of the German version of ADV shall be for the convenience of the parties only and shall not be binding upon the parties.
(Valid from August 2023)