Agreement on commissioned data processing (ADV)

Agreement on Commissioned Data Processing (ADV) between the customer of Emil Ebneter & Co. AG and its subsidiaries Appenzeller Alpenbitter AG, Crowning’s AG, Zafferana AG and EECO Immobilien AG (“Customer”) and Emil Ebneter & Co. AG and its subsidiaries Appenzeller Alpenbitter AG, Crowning’s AG, Zafferana AG and EECO Immobilien AG (“Contractor”). Individually referred to as a “Party” or collectively as “Parties”.

1. The Customer commissions the Contractor with tasks for the processing of personal data ("Data") within the meaning of data protection provisions. In this context, the Contractor may be a data processor or a further data processor within the meaning of data protection law. Such tasks are performed in connection with the fulfilment of contracts, warranty rights, support requests, maintenance requests or other tasks in which the Contractor receives access (including by means of “remote access”) to Data or is otherwise provided with or can take notice of Data provided by the Customer or its customers.
2. To comply with the legal requirements, this Agreement shall apply. It applies to all activities in connection with contracts concluded between the Parties in which employees of the Contractor or persons commissioned by the Contractor process Data of the Customer (this also includes Data of its customers). Furthermore, this Agreement shall apply to all future contracts providing for commissioned data processing which the Parties conclude with each other.

1. The subject matter of this Agreement as well as its nature and purpose, to which reference is made here, result from the respective contracts concluded between the Parties which may include commissioned data processing.
2. Commissioned data processing is provided by the Contractor in Switzerland, in member states of the EU/EEA and other third countries. Processing in a third country shall be carried out in accordance with the consent of the Customer granted herein. If the Data is subject to professional or official secrecy or if other contractual obligations of secrecy or contractual agreements would preclude processing in a third country, the Customer shall inform the Contractor of this prior to processing by the Contractor so that the further procedure can be agreed between the parties. If no notification is made, it shall be assumed that no prior consent is required. The Customer is solely responsible for ensuring that the necessary legal basis exists for lawful data processing outside Switzerland.
3. Any further transfer of commissioned data processing or sub-elements thereof to third countries shall take place only if the special data protection requirements are met (e.g. adequacy decision, standard data protection clauses, approved codes of conduct or another suitable guarantee for the data transfer).
4. At the moment, additional data processors are used in Switzerland to provide commissioned data processing (e.g. support) and in EU member states and the USA for commissioned data processing of sub-elements (e.g. communication relating to customer support). The current list of further data processors, which is available from the Contractor upon request by the Customer, shall apply.

1. The term of this Agreement shall be based on the term of the contracts which have as their subject matter commissioned data processing between the Parties, insofar as the provisions of this Agreement do not give rise to any obligations or rights of termination that extend beyond this.
2. In the event of a serious breach of data protection regulations or the provisions of this Agreement, the Parties may terminate this Agreement on commissioned data processing by giving four weeks’ notice. In the case of simple breaches – i.e. breaches that are neither intentional nor grossly negligent – one contracting Party shall set the other a reasonable deadline within which the latter may remedy the breach.

1. The activities of the Contractor include services related to the contractual products described in the respective contracts concluded between the Parties and for which commissioned data processing by the Contractor is possible.
   
   The Contractor’s activities may include, but are not limited to, the following:
   • Verification of personal, delivery and residential data of the Customer and its customers
   • Creation of documents for deliveries
   • Coordination and exchange of Data with the goods sender and receiver
   • Access to and processing of Data
   • Support-related activities
   • Receipt and processing of data backups with the possibility of accessing the Customer’s Data in the process
   
   Hosting of applications, software solutions and Data The following types of processing are possible:
   • Collecting, recording, organising or arranging Data
   • Storage, adaptation or modification of Data
   • Reading, retrieval, usage and disclosure of Data by transmission
   • Dissemination or other form of provision, matching or linking of Data
   • Restriction, deletion or destruction of Data
2. The types of Data processed and the categories of data subjects result from the respective subject matter of the contract and the contractual products.
   
   The following types of Data may be affected:
   
   • Personal master data (such as first name, surname, date of birth, age, gender, nationality)
   • Details of identity papers
   • Information about professional life, such as job title, function etc.
   • Information about private life, such as civil status, hobbies, etc.
   • User information such as log-in data, customer number, user behaviour, consumption behaviour
   • (Business or private) communication data (e.g. telephone number, address, e-mail address)
   • Contract master data (contract name, interest in the product or contract)
   • Customer history
   • Contract billing or payment data
   • Planning and control data
   • Project data
   • Information (from third parties, e.g. credit agencies, data from public directories)
   • Technical information such as IP address, device information, etc.

In addition, special categories of personal data or data requiring special protection may also be affected, in which case the classification of the Data results from the respective applicable data protection legislation.

The categories of data subjects may be:

• employees of (potential) customers, end and business customers, subscribers to contractual products of the Customer, interested parties, business partners, suppliers, commercial agents, salespersons and dealers, as well as their respective employees, as contact persons
• In the case of legal persons, their natural persons, such as their employees, employees of their business partners, contractual partners, service recipients, service providers or other auxiliary persons of (potential) customers, suppliers, sellers, dealers
• In the case of legal entities, their natural persons, such as their employees of public bodies, in the form of business partners, contractual partners, service recipients, service providers or other auxiliary persons of (potential) customers, suppliers

1. The Customer or its customers as the responsible party (hereinafter “Responsible Party”) within the meaning of data protection shall be solely responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects. The Contractor shall forward all requests to the Customer, insofar as they are recognisably addressed to the Customer or a Responsible Party.
2. Changes to the subject matter of the processing or to the procedure may be jointly agreed between the Customer and the Contractor and specified in writing or in documented electronic form.
3. The Customer shall have the right to issue instructions to the Contractor and shall, as a rule, issue such instructions in writing or in documented electronic form. The Customer shall immediately confirm verbal instructions in writing or in documented electronic form. Said instructions shall be kept for their period of validity and subsequently for at least five full calendar years. Instructions not provided for in the respective contract shall be treated as a request for a change in performance and shall be remunerated accordingly by the Customer.
4. Persons authorised to issue instructions at the Customer and the recipients of instructions at the Contractor shall be determined individually between the Parties, together with determination of the communication channels to be used.
5. The Customer shall inform the Contractor without delay if it detects any violations of data protection requirements, errors or irregularities during the examination of the results of the order or if it becomes aware of any such violations. The Contractor shall take the requisite measures to secure the Data and to mitigate any possible adverse consequences for the data subjects and may consult with the Customer to this end.
6. The Customer or its customers shall be solely responsible for the Data provided to the Contractor. The Customer guarantees that this Data has been processed in a lawful manner (information obligations, legal basis, compliance with data protection principles, etc.) and that it is permitted to continue with the processing of said Data. The Contractor shall not be responsible for assessing the permissibility of the processing or for safeguarding the rights of the data subjects.

1. The Contractor shall process Data exclusively within the framework of the agreements made and in accordance with the documented instructions of the Customer, unless it is obliged to process Data otherwise by the applicable law to which the Contractor is subject (e.g. investigations by law enforcement or state protection authorities). In such a case, the Contractor shall notify the Customer of these legal requirements prior to the processing, unless the law in question prohibits such notification due to an important public interest. The purpose, nature and scope of data processing shall be governed exclusively by this Agreement and/or the Customer’s instructions.
2. The Contractor shall notify the Customer immediately if an instruction issued by the Customer is in clear violation of statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Responsible Party or the Customer following a review. If the Contractor can demonstrate that processing in accordance with the Customer’s instructions may lead to liability on the part of the Contractor, the Contractor shall be entitled to suspend further processing in this respect until the liability has been clarified between the Parties.
3. The Contractor shall not use the Data provided for processing for any other purposes, in particular not for its own purposes. Copies or duplicates of the Data shall not be made without the knowledge of the Customer. This shall not apply to backup copies, insofar as they are necessary to ensure proper data processing, and to Data that is required to comply with statutory retention obligations.
4. The Contractor may not on its own authority correct, delete or restrict the processing of the Data processed, but only in accordance with documented instructions from the Customer.
5. The Contractor shall arrange and monitor internal organisational matters within its own area of responsibility in such a way that it meets the special requirements of data protection.
6. The Contractor shall keep a register of all categories of processing activities carried out on behalf of the Customer, which shall contain all the information required of such a processing register.
7. The Data processed for the Customer shall be strictly separated from other data files. Physical separation is not mandatory.
8. The data carriers originating from the Customer or used for the Customer shall be specially marked. The receipt and issue of such data carriers, as well as their ongoing use shall be documented.
9. The Contractor shall cooperate to the required extent and shall, to the extent possible, provide appropriate support to the Customer in the fulfilment of the rights of the data subjects by the Customer, the security of the processing, the notification of data protection breaches, the notification a breach of protection of the data subject, the necessary data protection impact assessments of the Customer and in the case of necessary consultations with a supervisory authority.
10. The processing of Data outside the Contractor’s premises, for example in the home office of employees, is hereby permitted by the Customer. Insofar as the Data is processed in a private residence, the necessary technical and organisational measures shall be ensured through contractual means.
11. The Contractor undertakes to maintain confidentiality when processing the Data in accordance with the order issued. This requirement shall continue to exist even after termination of the contractual relationship. If applicable, the Contractor shall also observe relevant rules on the protection of secrets which are incumbent on the Customer.
12. Prior to the commencement of activity by staff employed in the performance of the commissioned data processing and other persons working for the Contractor, the Contractor shall familiarise them with the applicable data protection provisions and bind them to secrecy in an appropriate manner for the duration of their activity as well as after termination of the employment relationship. Said persons are prohibited from processing the Data outside of the Customer’s instructions, unless they are legally obliged to process the Data.
13. Where necessary, a data protection officer shall be appointed at the Contractor and the current contact details of this data protection officer shall be published on the Contractor’s website in an easily accessible manner.

1. If the Contractor becomes aware of a breach of data protection or data security, it shall report this to the Customer verbally, in writing or in text form as soon as it becomes aware of said breach.
2. The notification to the Customer shall contain at least the following information:
   1. A description of the nature of the data breach, including, where possible, the categories and approximate number of data subjects, the categories concerned and the approximate number of personal data records concerned.
   2. A description of the measures taken or proposed by the Contractor to remedy the breach and, where applicable, measures to mitigate its possible adverse effects.
3. If there is a duty to inform third parties (such as the data subjects) or any other legal notification duty applicable to the Customer or a Responsible Party (e.g. to notify a supervisory authority), the Customer or the Responsible Party shall be responsible for compliance therewith.

1. Contractual relationships of this kind include those services which relate directly to the provision of the main service or parts thereof under this Agreement. They do not include purely ancillary services, such as telecommunication, postal or transport services, cleaning services or security guard services without any specific reference to the services provided by the Contractor for the Customer. Maintenance, servicing and inspection services and the disposal of data carriers - insofar as knowledge of or access to Data of the Customer is possible - constitute such contractual relationships insofar as they are provided for IT systems which are also used in connection with the provision of services for the Customer.
2. The Contractor is hereby granted general permission to commission further data processors (e.g. to appoint or replace them) in order to process the Customer’s Data. An up-to-date list of the other commissioned data processors is available from the Contractor. The Customer hereby agrees to such a commissioning of data processors.
3. The Contractor shall inform the Customer of any intended change with regard to the appointment of new data processors or the replacement of existing further data processors, whereby the Customer shall have the opportunity to object to such changes.
4. If no objection is raised by the Customer within seven days, the Customer shall be deemed to have agreed to the change; if an objection is raised within this period, the commissioning of the further data processor shall not be permitted. In such a case, the Parties shall find an amicable solution regarding the further data processor. In emergency situations, the Customer shall react within one day and, if necessary, raise its objection.
5. The Contractor shall ensure that it selects the further data processor with due care.
6. The commissioning of further data processors in third countries may take place only if the special data protection requirements are met (e.g. adequacy decision, standard data protection clauses, approved codes of conduct or another suitable guarantee for the data transfer). The Contractor shall ensure this through appropriate measures. For this purpose, the Customer hereby grants the Contractor the necessary authorisation to take the appropriate measures (also by proxy), such as the conclusion of standard data protection clauses (also in the name and on behalf of the Customer), should no adequate level of data protection have been established. Should, however, such a transmission of personal data be initiated by the Customer itself, compliance with the corresponding provisions shall be the sole responsibility of the Customer.
7. The Contractor shall ensure through contractual means that the provisions agreed between the Customer and the Contractor also apply to further data processors. The contract with the further data processor shall be drawn up in writing or in electronic form.

1. A level of protection appropriate to the risk to the rights and freedoms of the data subjects shall be ensured for the specific data processing operation. For this purpose, the protection objectives such as confidentiality, integrity and availability of the systems and services, as well as their resilience in relation to the type, scope, circumstances and purpose of the processing, shall be taken into account in such a way that the risk is permanently contained by means of appropriate technical and organisational remedial measures.
2. A list of the technical and organisational measures taken by the Contractor is available from the Contractor. The measures contained therein represent the measures implemented by the Contractor in accordance with the identified risk, taking into account the protection goals according to the state of the art.
3. The Contractor shall, if occasion arises, as well as at regular intervals, carry out a review, assessment and evaluation of the effectiveness of the technical and organisational measures implemented to ensure the security of the processing. The result, including the audit report, can be communicated to the Customer upon request. The measures at the Contractor may be adapted to reflect technical and organisational developments during the course of the contractual relationship.
4. Should the measures taken at the Contractor fail to meet the Customer’s requirements, the Customer shall notify the Contractor without delay.

1. The Contractor shall, as far as possible, support the Customer with suitable technical and organisational measures in the fulfilment of the Customer’s obligations with regard to requests and claims of the data subjects.
2. If a data subject approaches the Contractor with requests to correct, block or delete Data or provide information, the Contractor shall immediately refer the data subject to the Customer, provided that an obvious assignment to the Customer is possible according to information provided by the data subject, and shall await the Customer’s instructions.
3. The Contractor may provide information to third parties about Data from the contractual relationship only after prior instruction from or with the consent of the Customer.
4. The Contractor shall not be liable if the request of the data subject is not answered, is not answered correctly or is not answered in time by the Customer or its customers as Responsible Parties.

1. The Contractor shall review the internal processes at regular intervals and agrees that the Customer shall be entitled, prior to the commencement of processing and during the term of the Agreement, to regularly review compliance with the regulations on data protection and data security as well as the contractual agreements to the appropriate and necessary extent.
2. The Contractor shall assist in these reviews as necessary. The result shall be documented.
3. Should inspections be necessary in individual cases, these shall be carried out during normal business hours without disrupting operations and subject to prior notification and a reasonable lead time. The Contractor may make this dependent on the signing of a confidentiality declaration with regard to the Data of other customers and the technical and organisational measures that have been implemented. The Customer agrees to the appointment of an independent external auditor by the Contractor, provided that the Contractor makes a copy of the audit report available at the Customer’s request.
4. Should a supervisory authority for data protection or any other sovereign supervisory authority carry out an inspection, it shall not be necessary to sign a confidentiality undertaking if this supervisory authority is subject to professional or statutory confidentiality where a breach is punishable under the Swiss Criminal Code.
5. The Customer and the Contractor shall, upon request, cooperate with the supervisory authority for data protection in the performance of its duties.
6. The Contractor may demand reasonable remuneration for the assistance provided in carrying out an inspection, based on the actual expenses incurred. The Contractor’s usual hourly rates shall apply in this respect.
7. In principle, the Customer shall remunerate support services provided by the Contractor that are not attributable to any misconduct on the part of the Contractor appropriately according to the expenses actually incurred. The Contractor’s usual hourly rates shall apply in this respect.

1. After completion of the contractual work or at any time at the request of the Customer, the Contractor shall – in accordance with the Customer’s instructions – hand over to the Customer all Data and data files of the Customer which have come into its possession and which are related to the contractual relationship or delete them or have them destroyed in accordance with data protection law (provided that this does not conflict with any obligation to retain Data). The same applies to data backups, test materials and scrap materials.
2. At the Customer’s request, the Contractor can provide proof of the proper deletion of any Data still in existence. Documents to be disposed of must be destroyed using a paper shredder. Data carriers to be disposed of shall be destroyed according to their security classification. Upon request, the Contractor can confirm the deletion or destruction, together with the corresponding date, to the Customer in writing or in documented electronic form.
3. The Customer has the right to check the complete and contractual return and deletion of the Data at the Contractor.
4. The Contractor shall have a reasonable claim for remuneration against the Customer for the above-mentioned surrender, deletion or destruction. The Contractor’s usual hourly rates shall apply in this respect.

1. The Customer and Contractor shall be jointly and severally liable to a data subject for compensation for damage suffered by a data subject due to the processing or use of data under this Agreement that is inadmissible or incorrect under the data protection laws, insofar as the applicable laws and regulations on data protection so provide.
2. The Contractor shall be liable to the Customer, subject to separately agreed liability provisions in the respective contracts concluded between the Parties that may include commissioned data processing, to a maximum extent of 10% of the remuneration actually paid for the service causing the damage in the last 12 months, but not exceeding a total amount of CHF 10,000, for direct damage resulting from breaches of its data protection obligations under this Agreement, unless the Contractor is not or is not fully responsible for the event causing the damage.
3. Any limitations of liability between the Customer and its customers as Responsible Parties shall also apply in favour of the Contractor, with the result that the Contractor shall not be obliged to compensate the Customer for amounts which the Customer is not obliged to pay due to such limitations of liability.
4. In all other respects, any further liability – insofar as legally permissible – is excluded. For other damages not caused by a breach of data protection obligations under this Agreement, the liability provisions agreed in the respective contracts concluded between the Parties shall apply.

1. Agreements on technical and organisational measures as well as control and audit documents shall be kept by both contracting Parties for their period of validity and subsequently for at least five full calendar years.
2. The Contractor reserves the right to make changes to this Agreement. Changes shall be notified to the Customer in writing or otherwise at least 30 days in advance. If the Customer does not exercise its extraordinary right of termination within one month of notification, the changes shall be deemed to have been accepted. The Customer shall have no claims against the Contractor in the event of a change.
3. Amendments or supplements to this Agreement as well as ancillary agreements must always be made in writing or in a documented electronic format. It must be expressly stated that this is an amendment, supplement or ancillary agreement to these terms and conditions. This also applies to the waiver of this formal requirement. Unilateral amendments and supplements to this Agreement by the Contractor shall remain exempt from this formal requirement.
4. Should the Customer’s property or Data to be processed at the Contractor be endangered by measures of third parties (such as by attachment or seizure), by insolvency or composition proceedings or by other events, the Contractor shall notify the Customer without delay, unless it is prohibited from doing so by a court or official order. The Contractor shall immediately inform all bodies responsible in this context that the sovereignty and ownership of the Data lies exclusively with the Customer or its customers as the Responsible Parties.
5. The defence of the right of retention is excluded with regard to the Data processed for the Customer and the associated data carriers.
6. Should individual provisions of this Agreement prove to be invalid or void, this shall not result in the invalidity or voiding of the remaining provisions; instead, these shall be replaced by such provisions as come closest to the economic purpose of the Agreement. The same applies in the event of a contractual loophole.
7. In the event of any inconsistencies with regard to commissioned data processing, the data protection provisions of this Agreement shall take precedence over the provisions of the respective contracts concluded between the Parties.
8. The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement shall be the Contractor’s registered office. However, the Contractor shall also be entitled to bring a dispute before the court having jurisdiction for the Customer’s registered office.
9. This contract is subject to Swiss law to the exclusion of international private law.

• List “Other commissioned data processors of Emil Ebneter & Co. AG”
• List “Technical and organisational measures of Emil Ebneter & Co. AG”

These ADV are available in different languages. In the event of deviations or contradictions, the German version of the Agreement on Commissioned Data Processing shall prevail.

Last updated: 25 August 2023