Contract for Commissioned Processing of Personal Data
between
— hereafter "Principal" aka"(data)controller" in the meaning of EU-GDPR —
and
Pulserio AG
Wassergrabe 3
6210 Sursee
Switzerland
— hereafter "Contractor"aka"(data) processor" in the meaning of EU-GDPR —
1. Contractual Object and Applicable Data Protection Law
1.1 As part of the registration process, you have placed an order with us (hereafter referred to as the "Main Contract," visit https://leadrebel.io/terms for details). Therefore, it is required that the Contractor processes personal data for which the Principal is responsible (hereafter referred to as "Principal Data"). This Contract specifies the parties' data protection rights and obligations connected with the Contractor's handling of Principal Data executing the Main Contract.
1.2 The Contractor is subject to Swiss data protection law. If and to the extent that the Principal is wholly or partly subject to the General Data Protection Regulation (GDPR), the Contractor shall be informed accordingly. In this case, the Contractor guarantees compliance with the GDPR within the scope of order processing; the parties' rights and obligations under this Contract also refer to the GDPR.
2. Scope of Commissioning
2.1 The Contractor processes the Principal Data on behalf of and according to the instructions of the Principal (commissioned processing). The Principal shall remain responsible according to the meaning of data protection law.
2.2 The Principal Data shall be processed by the Contractor in the manner, to the extent, and for the purpose specified inAppendix 1 of this Contract. The processing involves the types of personal data and categories of data subjects specified therein. The duration of data processing corresponds to the duration of the Main Contract.
2.3 The Contractor reserves the right to anonymize or aggregate the Principal Data so that it is no longer possible to identify individual data subjects and to use it in this form for designing, developing, and optimizing it in line with requirements and for providing the service agreed under the Main Contract. The parties agree that Principal Data that have been anonymized or aggregated as described above shall no longer be considered Principal Data in the meaning of this Contract.
2.4 The Contractor may process and use the Principal Data for its own purposes and responsibility within the scope of what is permitted under data protection law if a statutory permit provision or a letter of consent from individual data subjects allows it. This Contract does not apply to such forms of data processing.
2.5 The processing of the Principal Data by the Contractor shall occur in Switzerland or the European Economic Area (EEA). The Contractor is nevertheless permitted to process Principal Data outside Switzerland or the EEA in compliance with the provisions of this Contract provided that the Contractor informs the Principal in advance of the location of the data processing and that the prerequisites for the transfer of personal data to a third country are met.
3. Powers of Instruction of the Principal
3.1 The Contractor shall process the Principal Data in accordance with the Principal's instructions unless the Contractor is otherwise legally obliged to process the data. In such a case, the Contractor shall notify the Principal of these legal requirements before processing, provided that the relevant law does not prohibit such notification.
3.2 The instructions of the Principal are conclusively defined and documented in the provisions of this Contract. Individual instructions that deviate from the provisions of this Contract or impose additional requirements require the Contractor's prior consent.
3.3 The Contractor warrants to process the Principal Data in accordance with the Principal's instructions. If the Contractor believes that an instruction from the Principal is in breach of this Contract or the applicable data protection law, the Contractor shall be entitled, after notifying the Principal accordingly, to suspend the execution of the instruction until the Principal confirms the instruction. Both parties agree that it is the sole responsibility of the Principal to process the Principal Data in accordance with the instructions.
4. Responsibility of the Principal
4.1 The Principal shall be solely responsible for the lawfulness of the Principal Data processing and for safeguarding the data subjects' rights in the relationship between the parties. If any third party lodges a claim against the Contractor due to the processing of Principal Data in accordance with the provisions of this Contract, the Principal shall indemnify the Contractor against all such claims upon first request.
4.2 It is the responsibility of the Principal to provide the Contractor with the Principal Data on time; he is responsible for the quality of the Principal Data. The Principal must inform the Contractor wholly and immediately if he discovers any errors or irregularities about data protection regulations or his instructions during the examination of the Contractor's order results.
4.3 Upon request, the Principal shall provide the Contractor with the information required for the records of processing activities as Contractor, unless the Contractor himself has such information.
4.4 If the Contractor must provide information to a person or government agency regarding the processing of Principal Data or cooperate with these agencies in any other way, the Principal is obliged to support the Contractor at first request to provide such information or fulfill other obligations to cooperate.
5. Personnel Requirements
The Contractor shall oblige all those parties processing Principal Data to maintain confidentiality about Principal Data processing.
6. Security of Processing
At all times, the Contractor shall take necessary and appropriate technical and organizational measures which are required to ensure a level of protection for the Principal Data commensurate with the risk, taking into account state of the art, the implementation costs and the nature, scope, circumstances, and purposes of the processing of the Principal Data as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of the data subjects.
7. Use of Other Data Processors
7.1 The Principal hereby grants the Contractor general permission to involve other data processors to process the Principal Data. The other data processors involved at the time of the conclusion of this Contract are listed inAppendix 2.
7.2 The Contractor shall inform the Principal of any intended changes concerning the involvement or replacement of other data processors. In individual cases, the Principal shall be entitled to object to another data processor's potential commissioning. Such an objection may only be raised by the Principal on substantial grounds to be demonstrated to the Contractor. Unless the Principal objects within fourteen (14) days of receipt of the notification, his right to object to the corresponding commission shall expire. If the Principal objects, the Contractor shall be entitled to terminate the Main Contract and this Contract subject to a notice period of three (3) months.
7.3 The contract between the Contractor and the other data processor must impose equal obligations upon the latter as imposed on the Contractor under this Contract.
7.4 Subject to compliance with Clause 2.5 of this Contract, the provisions of this Clause 7 shall also apply in cases where another data processor is engaged in a third country. The Principal hereby authorizes the Contractor to conclude a contract with another data processor on behalf of the Principal, including standard data protection clauses, to transfer personal data to data processors in third countries.
8. Rights of the Data Subject
8.1 The Contractor shall provide the Principal with technical and organizational support to the extent reasonable to enable him to comply with his obligation to respond to requests to exercise the rights of data subjects to which they are entitled. The Principal shall reimburse the Contractor for proven expenses and costs incurred thereby.
8.2 If a data subject requests to exercise his legitimate rights against the Contractor directly, the Contractor shall notify the Principal without delay.
8.3 The Contractor shall inform the Principal about the stored Principal Data, the recipients of the Principal Data to whom the Contractor passes them on according to the commission, and the purpose of the storage unless the Principal already has this information or can obtain it himself.
8.4 To the extent reasonable and necessary, the Contractor shall enable the Principal to correct, delete or restrict further processing of the Principal Data or, upon the Principal's request, to correct, block or restrict further processing himself, if and to the extent that this is impossible for the Principal himself.
8.5 To the extent that the data subject has a right of data portability vis-à-vis the Principal regarding the Principal Data, the Contractor shall support the Principal to the extent reasonable and necessary upon legitimate reimbursement of the expenses and costs incurred by the Contractor in providing the Principal Data in a common and machine-readable format if the Principal cannot obtain the data otherwise.
9. Notification and Support Obligations of the Contractor
9.1 To the extent that the Principal is subject to a statutory obligation to notify or communicate due to a violation of the protection of Principal Data, the Contractor shall inform the Principal in good time of any events in his area of responsibility that require reporting. The Contractor shall support the Principal in fulfilling his notification and communication obligations upon the Principal's request to the extent reasonable and necessary upon legitimate reimbursement of the resulting expenses and costs incurred by the Contractor.
9.2 The Contractor shall support the Principal to the extent reasonable and necessary upon legitimate reimbursement of the resulting expenses and costs incurred by the Contractor during any privacy impact assessment to be conducted by the Principal and subsequent consultations with the supervisory authorities, if applicable.
10. Data Deletion
10.1 The Contractor shall delete the Principal Data after the termination of this Contract unless the Contractor is obliged by law or regulation to continue storing the Principal Data.
10.2 The Contractor may store documentation that serves as proof of the orderly and proper processing of Principal Data even after the end of the Contract.
11. Evidence and Verifications
11.1 Upon request, the Contractor shall provide the Principal with all information necessary and available to him to prove compliance with his obligations under this Contract.
11.2 The Principal shall be entitled to review the Contractor for compliance with the provisions of this Contract, in particular, the implementation of the relevant technical and organizational measures, including by conducting inspections.
11.3 In order to carry out inspections in accordance with Clause 11.2, the Principal shall be entitled, after giving prior notice according to Clause 11.5, to enter the Contractor's business premises where Principal Data are processed, within his regular business hours, at the Principal's expense, without disturbing the operation and under strict secrecy of the Contractor's business and trade secrets.
11.4 The Contractor shall be entitled, at its own discretion considering Principal's statutory obligations, not to disclose information, which are sensitive regarding the Contractor's business or if the Contractor would violate statutory or other contractual provisions by disclosing such information. The Principal shall not be entitled to any access to data or information relating to other customers of the Contractor, to cost information, to quality inspection and contract management reports, or to any other confidential data of the Contractor that are not directly relevant to the agreed verification.
11.5 The Principal shall inform the Contractor in good time (as a rule at least two weeks in advance) of all circumstances connected with the execution of the inspection. The Principal shall bear the proven expenses and costs incurred by the Contractor.
11.6 If the Principal commissions a third party to carry out the inspection, the Principal shall obligate the third party to the same degree in writing as the Principal is obligated to the Contractor under Clause 11 of this Contract. Moreover, the Principal shall oblige the third party to maintain secrecy and confidentiality unless the third party is subject to a professional obligation of secrecy. At the Contractor's request, the Principal shall present the undertaking with the third party to the Contractor without delay. The Principal shall not assign any competitor of the Contractor to carry out the inspection.
11.7 At the Contractor's option, proof of compliance with the obligations under this Contract may also be furnished, instead of an inspection, by the submission of a suitable, current audit certificate or report from an independent body or appropriate certification by an IT security or data protection audit ("Audit Report"), if the Audit Report enables the Principal to satisfy himself of compliance with the contractual obligations reasonably.
12. Duration of Contract and Termination
The duration and termination of this Contract shall be governed by the provisions governing the Main Contract's duration and termination. Termination of the Main Contract automatically results in a termination of this Contract. An individual termination of this Contract is excluded.
13. Liability
13.1 The Contractor's liability under this Contract shall be governed by the exclusions and limitations of liability under the Main Contract. If third parties assert claims against the Contractor based on a culpable violation of this Contract by the Principal or on one of his obligations as the person responsible for data protection, the Principal shall indemnify the Contractor from these claims upon first request.
13.2 The Principal also undertakes to indemnify the Contractor at first request from any fines imposed on the Contractor to the extent that the Principal bears part of the responsibility for the infringement sanctioned by the fine.
14. Final Provisions
14.1 Should individual provisions of this Contract be or become invalid or contain any loopholes, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of the applicable data protection law.
14.2 In case of contradictions between this Contract and other agreements between the parties, in particular the Main Contract, the provisions of this Contract shall prevail.
Sursee, 10.01.2023
Addendum:
Appendix 1: Purpose, Type and Scope of Data Processing, Nature of Data and Categories of Data Subjects
Appendix 2: Other data processors
Appendix 1
Purpose of the data processing | Usage analysis and identification |
Type and scope of data processing | Analysis and evaluation of data obtained using LeadRebel® tracking code |
Data type | Web traffic data from the Principal's websites |
Categories of data subjects | Website visitors of the Principals |
Appendix 2
Company, address | Type of processing | Purpose | Data type | Categories of data subjects |
DigitalOcean, LLC 101 Avenue of the Americas, 10th Floor New York, NY 10013 (headquarters, data centers are operated worldwide) | Storage and provision of data from the Main Contract | Fulfillment of the Main Contract | The data collected by the Principal using the tracking code as well as the Contractor's additions | Principal, Website visitors of the Principal |
Amazon Web Services, Inc., 410 Terry Avenue North Seattle, WA, 98109 United States
| Storage and provision of data from the Main Contract | Fulfillment of the Main Contract | The data collected by the Principal using the tracking code as well as the Contractor's additions | Principal, Website visitors of the Principal |
SendPulse Inc., 220 E 23rd St #401, New York, NY 10010, USA | Notification of users about important news | Fulfillment of the Main Contract | The account data collected from Principal | Principal |
HubSpot, Inc. 25 First Street, Cambridge, MA 02141, USA | Storage and provision of data from the Main Contract | Marketing and distribution | The account data collected from Principal | Principal |
IDB LLC, 5616 49th Ave SW, Seattle, WA, USA | Storage and provision of data from the Main Contract | Fulfillment of the Main Contract | IP address | Principal, Website visitors of the Principal |
Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland | Storage and provision of data from the Main Contract | Marketing Analytics | IP address Display interaction Website use | Principal, Website visitors of the Principal |