Data Processing Agreement

Annex to the Terms of Service of ContentPaul AG
The Company (as defined in the Main Agreement) provides software services to the Customer (as defined in the Main Agreement). The rights and obligations of the parties in this regard are set out in the Terms of Service and/or a separate agreement (hereinafter collectively referred to as the **Main Agreement**). This data processing agreement (**DPA**) specifies the data protection obligations of the parties arising in connection with the Main Agreement.
Against this background, the parties agree the following:

1. Scope

1.1 Scope of the DPA

This DPA shall apply to all activities related to the Main Agreement in which the Company or its employees or third parties mandated by the Company process personal data for the Customer. The processing of personal data in accordance with this DPA is carried out in accordance with the Swiss Federal Act on Data Protection of September 25, 2020 (FADP) and, if applicable, the European General Data Protection Regulation (GDPR).

1.2 Subject, nature and purpose of the processing

The Company shall process personal data in accordance with the provisions of the Main Agreement. The object of the processing is the processing of personal data within the scope of the Main Agreement. In particular, the following types of personal data are processed: Surname, first name, e-mail address, related company, social media information, profile information, marketing information. In particular, the following categories of data subjects are affected: Employees and other auxiliary persons including external providers of the Customer. The purpose of the processing is the fulfillment of the Main Agreement.

2. Duration and place of processing

2.1 Duration

The processing of personal data lasts as long as provided for in the Main Agreement.

2.2 Location

The place of processing of personal data in accordance with this DPA is generally in Switzerland and the European Union. In addition, personal data may also be processed in countries with an adequate level of protection in accordance with Art. 16 para. 1 FADP (or Art. 45 GDPR). If personal data is processed in a country without the corresponding protection pursuant to Art. 16 para. 1 FADP (or Art. 45 GDPR), the Company shall ensure that a guarantee pursuant to Art. 16 para. 2 FADP (or Art. 46 et seq. GDPR) is in place for the corresponding processing. The servers used by the Company to store personal data in accordance with this DPA are located in Germany. Processing in other countries takes place, for example, when using external services, which take place via servers in other countries.

3. Sub Processors

3.1 Mandating of sub processors

The Customer agrees that the Company may mandate sub processors to fulfill obligations arising from the Main Agreement and this DPA and may grant them access to the personal data in accordance with this DPA.
The Company shall carefully select the sub processors, taking into account the suitability of the technical and organizational measures taken by the sub processors.
Further sub-subcontracting by the sub processors etc. is permitted subject to compliance with the provisions of this DPA. Insofar as the GDPR is applicable, the Company shall notify the Customer of any intended change to a sub-processor, giving the Customer the opportunity to object.

3.2 Obligation of the sub processor

The Company must ensure that the sub processors comply with the requirements regarding data security in accordance with the FADP and GDPR. Insofar as the GDPR is applicable, the Company must conclude a written agreement (documented in the original or in electronic format).

3.3 Place of processing by sub processors

With regard to the place of data processing by sub processors, section 2.2 above is applicable.

4. Obligations of the Company

4.1 Confidentiality

The Company undertakes to ensure that all persons entrusted with the processing of personal data, are bound to confidentiality or are subject to an appropriate statutory duty of confidentiality.

4.2 Technical and organizational measures

The Company undertakes that it has taken and maintains all necessary technical and organizational measures to ensure data security in accordance with the applicable data protection regulations (Art. 8 FADP and Art. 32 GDPR) in order to prevent unauthorized processing, loss or damage to personal data.

4.3 Obligation to provide support

The Company is obliged to support the Customer upon request in complying with the applicable data protection regulations, taking into account the information available to it and to the extent possible with reasonable effort (in particular in reporting any breaches of data security to the competent authorities and claims for information by data subjects).

4.4 Duty to inform

The Company undertakes to notify the Customer in the event of (a) a breach of data security and/or the applicable data protection regulations in connection with this DPA, (b) requests from data subjects in connection with the processing of personal data in accordance with this DPA, or (c) the existence of any requests for access and actual access to personal data by authorities, unless such notification is prohibited by law. If the GDPR is applicable, the Company must also inform the Customer if it is of the opinion that an instruction violates the GDPR.

4.5 Return and deletion

The Company undertakes to (a) return all personal data to the Customer after termination of this DPA, subject to statutory retention obligations, in accordance with the Customer's instructions, or (b) delete it without retaining a copy, and to confirm the deletion to the Customer accordingly. Statutory retention obligations remain reserved.

5. Rights and obligations of the Customer

5.1 Right to issue instructions

The Company undertakes to process the personal data exclusively for the purposes of the Main Agreement, this DPA and the instructions of the Customer. The Customer acknowledges that, in case of Customer's instructions (e.g. to delete certain personal data), the Company's performance obligations under the Main Agreement may no longer be completely fulfilled.

5.2 Right of control

The Customer shall have the right to satisfy itself of compliance with the provisions on data protection and this DPA to a reasonable extent. With regard to costs, clause 6.1 is applicable.

5.3 Duties as controller

Within the scope of this DPA, the Customer is responsible for compliance with the statutory data protection provisions in its role as controller, in particular for the lawfulness of the transfer of data to the Company, for the lawfulness of data processing and for safeguarding the rights of data subjects. The Customer is responsible for the reporting obligations under data protection law.
The Customer shall inform the Company immediately and in full if it discovers any errors or irregularities with regard to data protection provisions in connection with this Agreement.

6. Final provisions

6.1 Assumption of costs

The Customer shall compensate the Company for all expenses incurred in connection with the performance of duties under this DPA at the hourly rates customary in the industry (excl. VAT).
The regulation pursuant to this clause 6.1 shall apply to all obligations of the Company arising from this DPA, unless another cost regulation has been explicitly agreed.

6.2 Duration, termination, amendment

The start and duration of this DPA corresponds to the start and duration of the Main Agreement. This DPA ends automatically upon termination of the Main Agreement.
The DPA may be terminated by the parties at any time in accordance with the formal requirements set out in section 6.5 by mutual agreement.

6.3 Liability

Both parties are liable to the persons concerned in accordance with the statutory provisions.

6.4 Trade secrets

Both parties are obliged to keep all knowledge of business secrets and data security measures of the other party obtained within the scope of the contractual relationship strictly confidential during the term of the DPA and after termination of the DPA.

6.5 Form and notifications

Regarding form and notifications the provisions of the Main Agreement apply.

6.6 Severability clause

Should provisions of this DPA be or become invalid, this shall not affect the validity of the remainder of this DPA. In such a case, the parties shall reach an agreement to replace the provision in question with a valid provision that is as close as possible to the economic intent of the invalid provision.

6.7 Applicable law and place of jurisdiction

The DPA shall be governed by Swiss law to the exclusion of the conflict of laws rules. The exclusive place of jurisdiction shall be at the place of the Company's registered office.


Version 1.0 / Date 24.12.2024

Be the first to know

Useful and interesting content: features, updates, use cases, and much more. Not too often, but always valuable.

We care about your data. Read our privacy policy.