Our Data Processing Agreement (DPA) specifies your and our rights and obligations with regard to data protection aspects – based on the new Swiss Federal Act on Data Protection (nFADP) and the General Data Protection Regulation of the European Union (GDPR).
If you are a customer of ours, you are welcome to sign a DPA with us. Please contact us for this.
Contents
- Introduction
- 1. Object, duration, and specification of Contract Processing of Data
- 2. Scope of application and responsibilities
- 3. Place of Processing
- 4. Friendly’s obligations
- 5. Customer’s obligations
- 6. Enquiries by data subjects
- 7. Documentation and evidence
- 8. Subprocessors
- 9. Liability and damages
- 10. Remuneration
- 11. Amendments and additions
- 12. Integrating components
- 13. Severability Clause
- 14. Applicable Law and Place of Jurisdiction
This Data Processing Agreement (“DPA”) is concluded by and between
(Name and address of the customer)
hereinafter, “Customer” and
Friendly GmbH
Werkhofstrasse 5
6052 Hergiswil
Switzerland
hereinafter, “Friendly”.
Introduction
This DPA specifies the rights and obligations of the Parties with regard to data protection aspects based on the applicable data protections laws – in particular the new Swiss Federal Act on Data Protection (“nFADP”) and the General Data Protection Regulation of the European Union (“GDPR”).
The terms used in this DPA must be understood as terms as defined in the GDPR. This DPA applies insofar as the Customer (acting as a Controller) has Personal Data processed by Friendly (acting as a Processor) within the scope of the nFADP and the GDPR.
This DPA supplements the existing “Principal Agreement” between the Parties. With respect to the Principal Agreement, reference may be made to the Software Product Agreement and other agreements between the parties in which Friendly acts as a service provider for the Customer.
1. Object, duration, and specification of Contract Processing of Data
The object of this DPA is the processing of Personal Data provided by the Customer to Friendly, respective to Friendly’s software products.
The DPA shall automatically terminate upon termination of the Principal Agreement.
The following Data are or may be processed by Friendly:
| Service according to the Principal Agreement | Type of Personal Data | Nature, Purpose and Duration of Processing | Categories of Data Subjects |
|---|---|---|---|
| Friendly Automate: CRM, Marketing Automation and Email Marketing | Customer may submit Personal Data to the Service, the categories, extent and detail of which is determined and controlled by Customer in its sole discretion. | Friendly processes Personal Data of the Customer for the provision of the ordered service in the areas of CRM, marketing automation and email marketing for the duration of the Principal Agreement. | Customers, prospects, employees, partners or suppliers of the Customer |
| Friendly Automate: Website Tracking (optional) | IP adresses | Enrichment of the contact data of the client as well as the profiles of anonymous website visitors with information about their behavior on the website | Visitors of the Customer ‘s website |
| Friendly Automate: Email Tracking (optional) | Email adresses | Enrichment of the details of the Customer’s contacts with information on behavior in emails (opens and clicks) | Recipients of emails sent by the Customer |
| Friendly Analytics | No personally identifiable data is stored and processed | Provision of anonymized website usage analytics | Visitors of the Customer ‘s website |
Friendly Analytics stores and processes the following of non-personally identifiable information for the purpose to deliver the services according to the Principal Agreement:
- The anonymized IP address of the website visitor. The last two bytes are anonymized, therefore it is not considered Personal Data
- Date and time of the request
- Title of the page being viewed
- URL of the page being viewed
- URL of the page that was viewed prior to the current page (“Referrer”). For privacy reasons, we only process the domain without path and query string.
- Screen resolution being used
- Time in local user’s timezone
- Files that were clicked and downloaded
- Links to an outside domain that were clicked
- Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the user)
- Country, region, city, approximate latitude and longitude of the website visitor (Geolocation)
- Main Language of the browser being used (Accept-Language header)
- User Agent of the browser being used (User-Agent header). From the User-Agent, we detect the browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model.
Friendly stores full IP addresses in the server logs for a maximum of 24 hours. According to Art. 32 of the GDPR (Security of Processing), it is recommended to keep full access logs for a certain period of time in order to be able to defend against DDoS attacks, detect anomalies and ensure the resilience of processing systems and services. After this period, Friendly automatically anonymizes the IP addresses in the server logs.
2. Scope of application and responsibilities
- Friendly shall process Data on behalf of Customer. Such Contract Processing shall include all activities specified in the service description of the Principal Agreement, respectively the booked software products.
- Within the scope of this DPA, Customer shall be solely responsible for compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Data to Friendly and the lawfulness of having Data processed on behalf of Customer. Customer shall be the “controller” in accordance with Article 4 no. 7 of the GDPR.
3. Place of Processing
- Processing takes place exclusively in Switzerland.
- For processing, Friendly uses only subprocessors that are headquartered in Switzerland. The only exception to this is email sending. For this, Friendly uses subprocessors based in the EU with processing in the EU.
4. Friendly’s obligations
- Except where expressly permitted by Article 28 (3)(a) of the GDPR, Friendly shall process the Data of Data Subjects only in accordance with the Principal Agreement and the Customer’s documented instructions. If Friendly considers that an instruction is in breach of applicable law, Friendly shall notify Customer of this view without undue delay. Friendly shall have the right to suspend the execution of such instruction until Customer confirms or modifies such instruction.
- Friendly shall organise Friendly’s internal organisation so it satisfies the specific requirements of data protection. Friendly shall implement technical and organisational measures to ensure the adequate protection of Customer’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Friendly shall implement technical and organisational measures and safeguards before the beginning of the Data processing, that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and comply with Annex 1 to this DPA. The state of the art, the implementation costs and the nature, scope and purpose of the Processing as well as the different likelihood of occurrence and severity of the risk to the rights and freedoms of the data subjects shall be considered. Material changes to the technical and organisational measures defined in Annex 1 to this DPA shall be documented and communicated to the Costumer without delay.
- If the measures taken no longer meet the applicable data protection laws and regulation, Friendly shall inform the Costumer immediately and implement the changes required to maintain data protection and data security level without delay. The Customer may verify the technical and organizational measures of the Friendly at any time to ensure that they are complete, correct and necessary. Friendly shall, at the request of the Costumer, provide the latter with all necessary documents and information and support the evaluation or updating of the technical and organisational measures. The changes shall be recorded in writing. Friendly warrants that Friendly fulfills its obligations under Article 32 (1)(d) of the GDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Friendly shall support Customer, insofar to the best of its ability, and where possible for Friendly, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR.
- Friendly warrants that all employees involved in Contract Processing of Customer’s Data and other such persons as may be involved in Contract Processing within Friendly’s scope of responsibility such as Subprocessors shall be prohibited from processing Data outside the scope of the instructions of the Customer. Furthermore, Friendly warrants that any person entitled to process Data on behalf of Customer has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing, respectively the DPA.
- Friendly shall notify Customer, immediately, if Friendly becomes aware of breaches of the protection of Personal Data. This also applies in the event of serious operational disruptions, suspected other breaches of Personal Data protection regulations or other irregularities in the handling of Personal Data which could have an impact on the data subject or the Costumer or cause damage. Violations of data protection include the loss of confidentiality and the loss, destruction or falsification of Personal Data. The Processor shall cooperate with the Costumer and take such reasonable steps to mitigate and to remediate the consequences of a Personal Data Breach.
- Friendly shall notify to Customer the point of contact for any issues related to data protection arising out of or in connection with the DPA.
- Upon termination of this DPA or at any time at the request of the Customer, Friendly shall, at the discretion of the Customer, either delete the Data processed in the order or return them to the Customer, unless the laws require storage of the Personal Data. All existing copies of the data shall also be destroyed respectively deleted, unless there is a legal obligation to retain data. In such cases, Friendly shall also bring about the immediate return or deletion of the data of and by any Subprocessors.
- Friendly shall, upon termination of Contract Processing and upon Customer’s instruction, return all Data, carrier media and other materials to Customer or delete the same.
- Where a data subject asserts any claims against the Customer in accordance with Article 82 of the GDPR, Friendly shall support the Customer in processing such claims, where possible. Friendly must also secure that this commitment applies to its Subprocessors.
5. Customer’s obligations
- Customer shall notify Friendly, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Customer in the results of Friendly’s work.
- Customer shall notify to Friendly the point of contact for any issues related to data protection arising out of or in connection with the DPA.
6. Enquiries by data subjects
- Where a data subject asserts claims for rectification, erasure or access against Friendly, and where Friendly is able to correlate the data subject to Customer, based on the information provided by the data subject, Friendly shall refer such data subject to Customer. Friendly shall forward the data subject’s claim to Customer without undue delay and without responding to the data subject.
- Friendly shall support Customer, where possible, and based upon Customer’s instruction insofar as agreed upon. At the request of the Controller, Friendly’s will correct, restrict (e.g. block), limit or delete the Personal Data or assist with the data portability. Friendly shall not be liable in cases where Customer fails to respond to the data subject’s request in total, correctly, or in a timely manner.
7. Documentation and evidence
- The Costumer shall be entitled to verify compliance. Friendly shall document and prove to Customer Friendly’s compliance with the obligations agreed upon in this DPA by appropriate measures.
- Where, in individual cases, audits and inspections by Customer or an auditor appointed by Customer are requested by him, such audits and inspections will be conducted during regular business hours, and without interfering with Friendly’s operations, upon prior notice, and observing an appropriate notice period. Friendly may also determine that such audits and inspections are subject to prior notice, the observation of an appropriate notice period, and the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organisational measures and safeguards implemented. Friendly shall be entitled to rejecting auditors which are competitors of Friendly. Customer hereby consents to the appointment of an independent external auditor by Friendly, provided that Friendly provides a copy of the audit report to Customer. Friendly’s time and effort for such inspections shall be limited to one day per calendar year, unless agreed upon otherwise.
- Where a data protection supervisory authority or another supervisory authority with statutory competence for Customer conducts an inspection, para. 2 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.
8. Subprocessors
- Customer hereby consents to Friendly’s use of Subprocessors.
- The agreements made with these third parties must be at least equivalent to the provisions of this DPA in order to ensure an appropriate level of data protection and information security measures.
- Friendly shall make available to Customer the current list of Subprocessors for the Friendly services. Such Subprocessor lists shall include the identities of those Subprocessors and their country of location. A key date list of all Subprocessors engaged by Friendly at the time of entering into this DPA is provided in Annex 2 to this DPA.
- If Friendly intends to use additional Subprocessors, Friendly will notify the Customer in writing or electronically in good time – but no later than two weeks – prior to their use. The Customer has two weeks after this notification to object to the use of the subcontracted processor(s). If no objection is made within this period, the use of the Subprocessor(s) shall be deemed approved. In urgent cases (e.g., error analyses or defect rectification required at short notice), Friendly may reasonably shorten the notification and objection period for subcontracted processors. If an objection is made in due time, the Subprocessors concerned may not be used. Objections are only permissible if the Customer has reasonable grounds to believe that the use of the Subprocessor would restrict data security or data protection, jeopardize compliance with legal or contractual provisions, and/or conflict with other legitimate interests of the Customer; the relevant grounds for suspicion must be attached to the objection.
9. Liability and damages
- Customer and Friendly shall be liable to data subject in accordance with Article 82 of the GDPR.
10. Remuneration
The remuneration of Friendly with regard to this DPA is exhaustively in this DPA. An additional or separate remuneration or reimbursement of costs within the scope of this DPA or for related expenses shall not be made.
11. Amendments and additions
All amendments and additions to this DPA shall be made in written. Any addition, deletion or modification of any provision of this DPA shall be deemed a modification or addition.
12. Integrating components
- In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
- The following appendices shall form an integral part of this DPA:
- Annex 1: Technical and Organizational Measures (TOM)
- Annex 2: Key Date List of Subprocessors
13. Severability Clause
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
14. Applicable Law and Place of Jurisdiction
The same provision as in the Principal Agreement shall apply to applicable law and place of jurisdiction.
