adv – SWISS21

Agreement on Data Processing (ADV)

Agreement on Data Processing (ADV) between the owner of an AbaNinja account (“Customer”) und Abacus Research AG, Abacus-Platz 1, CH-9300 Wittenbach («Provider»). Referred to separately as «Party» or collectively as «Parties».


  1. The Customer commissions the Provider with tasks for the processing of personal data («data») within the context of data protection regulations. In this context, the Provider may be a processor or further processors within the meaning of data protection law. Such tasks take place in the context of support requests, maintenance work or other tasks in which the Provider obtains access (also by means of “remote access”) to data or is otherwise provided or can take note of data by the Customer or its customers.
  2. In order to comply with the legal requirements, this Agreement shall apply. It applies to all activities in connection with contracts concluded between the parties, in which employees of the Provider or persons authorized by the Provider process data of the Customer (including data of its customers). In addition, this Agreement applies to all future contracts that provide for commissioned data processing, which the parties conclude with each other.

1. Subject of the agreement

  1. The respective contracts concluded between the parties, which may include commissioned data processing, result in the subject matter of this agreement as well as its nature and purpose, to which reference is made here.
  2. The Provider shall perform the commissioned data processing in Switzerland, in member states of the EU/EEA and other third countries. Processing in a third country shall be carried out with the consent of the Customer granted herein. If the data is subject to professional or official secrecy or if other contractual obligations of secrecy or contractual arrangements would preclude processing in a third country, the Customer shall notify the Provider prior to processing by the Provider so that further action can be agreed between the parties. If no notification is made, the Provider may assume that processing may take place in a third country. The Customer is solely responsible for ensuring that the necessary legal basis for lawful data processing outside Switzerland is available.
  3. Any further relocation of the commissioned data processing or parts thereof to other third countries will only take place if the special data protection requirements are met (e.g. adequacy decision, standard data protection clauses, approved rules of conduct or another suitable guarantee for the data transfer).
  4. At present, additional processors in Switzerland (e.g. support) are used to provide the commissioned data processing and for partial work of the commissioned data processing (e.g. communication in the support area) in member states of the EU as well as in the USA. An up-to-date list of the other processors is available from the Provider upon request by the Customer.

2. Duration of the agreement

  1. The term of this Agreement shall be determined by the term of the contracts for commissioned data processing between the parties, unless the provisions of this Agreement impose obligations or rights of termination that go beyond this.
  2. The parties may terminate this Agreement for commissioned data processing by giving 4 weeks’ notice in the event of a serious breach of data protection regulations or the provisions of this Agreement. In the case of simple – i.e. neither intentional nor grossly negligent – violations, either party shall set the other party a reasonable period of time within which the other party may remedy the violation.

3. Type and purpose of the processing, type of data and categories of data subjects

  1. The activities of the Provider include services which are related to the contractual products described in the respective contracts concluded between the parties and for which commissioned data processing by the Provider is possible.

The activities of the Provider may include, but are not limited to, the following:

    • Installation and testing of the contractual products at the Customer or its customers
    • Improvements to the contractual products
    • Maintenance, installation and test of provided hotfixes, service packs and new versions of the contract products
    • Support activities
    • Access to and processing of data at the Customer or directly at its customers
    • Hosting of applications, software solutions and data

The following types of processing are possible:

    • Collecting, entering, organizing or arranging data
    • Storage, adaptation or modification of data
    • Reading, querying, use and disclosure of data by transmission
    • Dissemination or other form of provision, matching or linking of data
    • Restriction, deletion or destruction of data
    • The types of data processed as well as the categories of data subjects are determined by the respective subject matter and products of the contract. An up-to-date list of the con-tractual products, as well as information on the data and the categories of data subjects that can be processed within the scope of the contractual data processing, can be obtained from the Provider.

4. Rights and powers of instruction and obligations of the client

  1. Only the Customer or its customers as data controllers (hereinafter referred to as “data controllers”) are responsible for assessing the permissibility of the processing and for safeguarding the rights of the data subjects in terms of data protection. The Provider shall forward all inquiries, insofar as they are recognizably addressed to the Customer or a data controller, to the Customer.
  2. Changes to the object of processing and procedural changes may be agreed upon jointly between the Customer and the Provider and may be specified in writing or in a documented electronic format.
  3. The Customer has the right to issue instructions to the Provider and generally issues these instructions in writing or in a documented electronic format. Oral instructions must be confirmed by the Customer immediately in writing or in a documented electronic format. The instructions shall be kept for their period of validity and subsequently for three full calendar years. Instructions which are not provided for in the respective contract will be treated as a request for a change of service and must be remunerated accordingly by the client.
  4. Persons authorized by the Customer and recipients of instructions of the Provider are determined individually between the parties, and the communication channels to be used are specified.
  5. The Customer shall inform the Provider without delay if they detect violations of data protection, errors or irregularities in the examination of the results of the order or if they becomes aware of such. The Provider shall take the necessary measures to secure the data and to mitigate possible adverse consequences of the persons concerned and may consult with the Customer on this matter.
  6. The Customer or its customers are solely responsible for the data provided to the Provider. The Customer guarantees that these data have been processed in a lawful manner (information obligations, legal basis, compliance with data protection principles, etc.) and may continue to be processed by them. The Provider is not responsible for assessing the permissibility of the processing or for safeguarding the rights of the data subjects.

5. Obligations of the Provider

  1. The Provider shall process data exclusively within the scope of the agreements made and according to documented instructions of the Customer, unless the Customer is obliged to carry out other processing by the applicable law to which the Provider is subject (e.g. investigations by law enforcement or state security authorities); in such a case, the Provider shall notify the Customer of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest. The purpose, type and scope of data processing shall be governed exclusively by this agreement and/or the instructions of the Customer.
  2. The Provider shall immediately notify the Customer if an instruction issued by the Customer obviously violates legal requirements. The Provider is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the responsible person or the Customer after verification. If the Provider is able to demonstrate that processing in accordance with the instructions of the Customer may lead to liability on the part of the Provider, the Provider shall be entitled to suspend further processing in this respect until clarification of the liability between the parties.
  3. The Provider shall not use the data provided for processing for any other purposes, in particular not for its own purposes. Copies or duplicates of the data will not be made without the knowledge of the Customer. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data which is required in order to comply with statutory storage obligations.
  4. The Provider may not correct, delete or restrict the processing of data processed on behalf of the Customer without authorization, but only after documented instructions from the Customer.
  5. Within their area of responsibility, the Provider shall design and monitor the internal organization in such a way that it meets the special requirements of data protection.
  6. The Provider shall keep a register of all categories of processing activities carried out on behalf of the Customer, which contains all the necessary details of a processing register.
  7. The data processed on behalf of the Customer are strictly separated from other databases. A physical separation is not mandatory.
  8. The data carriers that originate from the Customer or are used for the Customer are specially marked. Incoming and outgoing data as well as the current use will be documented.
  9. The Provider shall cooperate to the necessary extent in the fulfilment of the rights of the persons concerned by the Customer, the security of the processing, the notification of data protection violations as well as in any necessary data protection follow-up assessments of the Customer and shall provide the Customer with appropriate support as far as possible.
  10. The processing of data outside the Provider’s business premises, for example in the home office of employees, is hereby permitted by the Customer. If the data are processed in a private home, access to the home of the employee for control purposes of the Customer as well as other necessary measures must be contractually ensured.
  11. The Provider undertakes to maintain confidentiality when processing the data in accordance with the contract. This continues to exist after the contractual relationship has ended. If necessary, they will also observe relevant secrecy protection rules, which are the responsibility of the Customer.
  12. The Provider has familiarized the employees and other persons working for the Provider who are involved in the processing of data on behalf of the Customer with the relevant data protection regulations before they commence work and has obligated them to maintain secrecy in an appropriate manner for the duration of their work and after termination of their employment. They are prohibited from processing the data outside the instructions of the Customer, unless they are legally obliged to process the data.
  13. A data protection officer has been appointed by the Provider. The current contact details are published on the website of the Provider and are easily accessible.

6. Notification obligations of the Provider in case of violations of data protection

  1. If the Provider becomes aware of a violation of data protection or data security, it shall notify the Customer of this immediately orally, in writing or in text form.
  2. The notification to the Customer shall contain at least the following information:
    1. a description of the nature of the data protection breach, if possible with an indication of the categories and approximate number of persons affected, the categories affected and the approximate number of personal data records affected;
    2. a description of the measures taken or proposed by the Provider to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.
  3. In the event that there is an obligation to inform third parties (such as the data subjects) or any other legal obligation to notify (e.g. to a supervisory authority) applicable to the Customer or a responsible party, the Customer or the responsible party is responsible for compliance with such obligation.

7. Subcontracting relationships with other contract processors

  1. Such contractual relationships include those services that are directly related to the provision of the main service or parts of the main service under this agreement. This does not include purely ancillary services, such as telecommunications, postal or transport services, cleaning services or security services without any specific reference to services which the Provider provides for the Customer. Maintenance, care and testing services as well as the disposal of data carriers represent – as far as access to or knowledge of data of the Customer is possible – such contractual relationships as far as these are provided for IT systems which are also used in connection with the provision of services for the Customer.
  2. The Provider is hereby generally permitted to commission other contract processors (e.g. consultation or replacement) to process data of the Customer. A current list of the com-missioned other contract processors is available from the Provider upon request by the Customer. The Customer hereby declares its agreement with their assignment.
  3. The Provider shall inform the Customer of any intended change regarding the addition of new contract processors or the replacement of existing processors within 30 days, which gives the Customer the opportunity to object to such changes.
  4. If no objection is made by the Customer within 7 days, the Customer agrees to the change, if an objection is made within this period, the assignment of the other contract processor is not permitted. In such a case, the parties will find an amicable solution regarding the further processor.
    In emergency situations, the Customer will react within 1 day and, if necessary, raise their objection.
  5. The Provider shall ensure that they carefully selects other contract processors.
  6. Other contract processors in third countries may only be commissioned if the special data protection requirements are met (e.g. adequacy decision, standard data protection claus-es, approved rules of conduct or other suitable guarantee for the data transfer). The Provider shall ensure this by taking appropriate measures. For this purpose, the Customer hereby grants the Provider the necessary authorization to take the appropriate measures (also by proxy), such as the conclusion of standard data protection clauses (also in the name and on behalf of the Customer), should no adequate level of data protection be established.
  7. The Provider shall ensure by contract that the provisions agreed between the Customer and the Provider also apply to other processors. The contract with the additional processor shall be in writing or in electronic form.

8. Technical and organizational measures

  1. A level of protection is ensured for the specific contract processing that is adequate to the risk to the rights and freedoms of the data subjects. To this end, the protection objectives such as confidentiality, integrity and availability of the systems and services and their resilience with regard to the nature, scope, circumstances and purpose of the processing are taken into account in such a way that the risk is reduced in the long term by appropriate technical and organizational remedial measures.
  2. A list of the technical and organizational measures taken by the Provider is available from the Provider upon request of the Customer. The measures contained in this list represent the measures used by the Provider in accordance with the identified risk, taking into account the protection goals according to the state of the art.
  3. The Provider shall, if the occasion arises and at regular intervals, carry out a review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing. The result including the audit report can be provided to the Customer on request. The measures taken by Provider can be adapted to technical and organizational developments during the course of the contract.
  4. If the measures by the Provider do not meet the requirements of the Customer, the Customer shall inform the Provider immediately.

9. Rights and claims of the persons concerned

  1. The Provider shall support the Customer, as far as possible, with suitable technical and organizational measures in the fulfilment of the Customer’s obligations with regard to inquiries and claims of the persons concerned.
  2. If a data subject turns to the Provider with requests for correction, blocking, deletion or information, the Provider shall immediately refer the data subject to the Customer, provided that an obvious assignment to the Customer is possible according to the data subject’s statements, and shall await the Customer’s instructions.
  3. The Provider may only provide information to third parties about data from the contractual relationship with the Customer after prior instruction or with the Customer’s consent.
  4. The Provider shall not be liable if the request of the data subject is not correctly or not in due time answered by the Customer or its customers as responsible persons.

10. Checks and verifications

  1. The Provider shall review the internal processes at regular intervals and agrees that the Customer is entitled, prior to the start of processing and during the term of the contract, to regularly review compliance with the regulations on data protection and data security as well as the contractual agreements to the appropriate and necessary extent.
  2. The Provider shall assist in these checks to the extent necessary. The result shall be documented.
  3. If, in individual cases, checks are necessary, these will be carried out during normal business hours without disrupting the operating process after notification, taking into account an appropriate lead time. The Provider may make such checks dependent on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organizational measures set up. The Customer agrees to the appointment of an independent external auditor by the Provider, provided that the Provider provides a copy of the audit report upon request of the Customer.
  4. Should a data protection supervisory authority or other sovereign supervisory authority carry out an inspection, it is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or legal confidentiality, where a violation is punishable under the Criminal Code.
  5. Upon request, the Customer and the Provider shall cooperate with the data protection supervisory authority in the performance of its duties.
  6. For assistance in carrying out an inspection, the Provider may demand reasonable remuneration based on the expenses actually incurred. The usual hourly rates of the Provider shall apply for this purpose.
  7. As a general rule, the Customer shall remunerate support services by the Provider, which are not caused by misconduct of the Provider, appropriately according to the expenses actually incurred. The usual hourly rates of the Provider shall apply.

11. Obligation of the provider after completion of the order

  1. After completion of the contractual work or at any time at the request of the Customer, the provider will hand over to the Customer all data and files of the Customer that have come into its possession in connection with the contractual relationship or will have them deleted or destroyed in compliance with the provisions of data protection law (unless this contradicts a legal obligation to preserve records). The same applies to data backups, test and reject material.
  2. Upon the Customer’s request, the Provider can provide proof of the proper deletion of the remaining data. Documents to be disposed of must be destroyed with a shredder. Data carriers to be disposed of are to be destroyed according to their security classification. The deletion or destruction can be confirmed to the Customer in writing with date or, upon request, in a documented electronic format.
  3. The Customer has the right to check the complete return and deletion of the data at the provider in accordance with the contract.
  4. For the above-mentioned return, deletion or destruction, the Provider has a reasonable claim for compensation from the Customer. The usual hourly rates of the Provider shall apply.

12. Liability for breach of this agreement

  1. The Client and the Provider shall be jointly and severally liable to the data subject for any damages suffered by a data subject as a result of any data processing or use under this Agreement that is unlawful or incorrect under the Data Protection Acts, to the extent that the applicable laws and regulations on data protection so provide.
  2. Subject to separately agreed liability provisions in the respective contracts concluded between the parties, which may include commissioned data processing, the Provider shall be liable to the Customer for direct damages resulting from violations of its data protection obligations under this Agreement, up to a maximum of 10% of the actually paid remuneration for the service causing the damage over the last 12 months, but not exceeding a total amount of CHF 50,000, unless the Provider is not or not fully responsible for the event causing the damage.
  3. Any limitations of liability between the Customer and its customers as responsible parties shall also apply in favour of the Provider, so that the Provider shall not be obliged to compensate the Customer for amounts which the Customer does not have to pay on account of such limitations of liability.
  4. Any further liability – as far as legally permissible – is excluded. For other damages, not caused by a violation of the data protection obligations of this Agreement, the liability provisions agreed in the respective contracts concluded between the parties shall apply.

13. Miscellaneous

  1. Agreements on the technical and organizational measures as well as control and test documents must be kept by both contracting parties for their period of validity and subsequently for three full calendar years.
  2. The Provider reserves the right to amend this agreement at any time. The Customer shall be notified in writing at least 30 days in advance of any changes or shall be notified in any other way. If the Customer does not make use of his ordinary right of termination within one month after notification, the changes shall be deemed accepted. In the event of a change, the Customer shall have no claims against the Provider.
  3. Amendments, supplements to this Agreement as well as collateral agreements must always be in writing or a documented electronic format is required. It must be expressly pointed out that it is an amendment, a supplement or an ancillary agreement of these terms and conditions. This also applies to the waiver of this formal requirement. Unilateral amendments and supplements to this Agreement by the Provider shall remain excluded from this formal requirement.
  4. If the property or the data of the Customer to be processed at the Provider is endangered by measures of third parties (such as seizure or confiscation), by insolvency or composition proceedings or by other events, the Provider shall notify the Customer immediately, unless this is prohibited by court or official order. The Provider shall immediately inform all authorities responsible in this connection that the sovereignty and ownership of the data lies exclusively with the Customer or its customers as the responsible parties.
  5. The objection of the right of retention is excluded with regard to the data processed for the Customer and the associated data carriers.
  6. Should individual provisions of this Agreement prove to be ineffective or void, this shall not result in the ineffectiveness or invalidity of the remaining provisions, but these shall be replaced by provisions which come closest to the economic purpose of the Agreement. The same applies in case of a contractual gap.
  7. In the event of any contradictions with regard to order data processing, regulations on data protection in this Agreement shall take precedence over the regulations of the respective contracts concluded between the parties.
  8. The exclusive place of jurisdiction for all disputes arising from or in connection with this contract is the registered office of the Provider. However, the Provider is also entitled to bring a dispute before the court having jurisdiction over the registered office of the Customer.
  9. This contract shall be governed by Swiss law to the exclusion of private international law.

Annexes available on request of the Customer:

  • List of further Customer of Abacus Research AG for “AbaNinja”

  • List of contractual products, as well as the indication of the data and the categories of persons concerned

  • List of technical and organizational measures of Abacus Research AG

V 1.0 | 21.09.2020