Privacy Policy I AGIL Mobile Warehouse
Order processing agreement AVV between customers of AGILITA AG as the responsible party (hereinafter referred to as the client) and AGILITA AG, Neue Winterthurerstrasse 99, 8304 Wallisellen as the order processor (hereinafter referred to as the contractor).
Preamble
A. The Client and the Contractor have an existing contractual relationship for the provision of IT services in the SAP environment. The services to be provided are specified in the respective individual contracts and the further documents such as e.g. general terms and conditions.
B. For the purpose of the performance of the Main Contract, the Contractor may have access to personal data disclosed or otherwise made available to the Contractor by the Client directly or by third parties on the Client’s behalf (hereinafter Personal Data).
C. The Parties wish to ensure that the processing of personal data carried out by the Contractor on behalf of the Client, directly or through third parties, under the Main Contract complies with the applicable data protection laws, agreeing on certain conditions for the said data processing set forth in this Data Protection Addendum (Controller – Processor) (hereinafter the Contract). Having said this, the parties agree as follows:
1. definitions of terms
1.1. Applicable data protection laws means Regulation (EU) 2016|679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (hereinafter DSGVO), the new Swiss Federal Data Protection Act (nDSG), the Swiss Ordinance to the Federal Data Protection Act (FADP) and, where applicable, other applicable data protection decrees.
1.2. The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (Art. 4 para. 7 DSGVO; Art. 5 lit. j nDSG).
1.3. Processor is the natural or legal person who processes personal data on behalf of the controller (Art. 4 para. 8 DSGVO; Art. 5 lit. k nDSG).
1.4. Personal data is any information relating to an identified or identifiable natural or legal person (hereinafter data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 (1) DSGVO; Art. 5 lit. a DSG).
1.5. Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 para. 2 DSGVO; Art. 5 lit. d DSG).
2. scope and subject matter
2.1. Scope This Agreement shall apply to any form of processing of personal data for the Client by the Contractor.
2.2. Subject matter, duration, nature and purpose The subject matter and duration as well as the nature and purpose of the processing result from the main contract and the associated service description.
2.3. Type of personal data/categories of data subjects The type of personal data and the categories of data subjects are specified in the main contract or sufficiently concretized in the service description.
3. obligations of the contractor
3.1. Processing in accordance with instructions The Contractor undertakes to process the data exclusively for the purposes of the main contract including this contract and in accordance with the documented instructions/directions of the Client. This also applies in particular with regard to the transfer of data to a third country or to an international organization. If the Contractor is required by the law of the European Union, the Member States or a non-EU Member State to which it is subject to carry out further processing, it shall notify the Client of these legal requirements prior to the processing. The Client may issue new instructions, supplement or amend existing instructions at any time. This also includes instructions with regard to the correction, deletion and blocking of personal data. All instructions given shall be documented in writing by both the Client and the Contractor. If the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall immediately notify the Client thereof. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. The Contractor may refuse to carry out an instruction that is obviously unlawful. In all other respects, the obligations that arise directly for the Contractor from the applicable data protection laws, such as the creation of a list of the present commissioned processing pursuant to Art. 30 para. 2 DSGVO, received and unaffected by this contract.
3.2. Obligation to Confidentiality The Contractor undertakes and warrants that it has obligated all persons entrusted with the Data Processing, including vicarious agents, to confidentiality in writing prior to commencement of the activity or that they are subject to an appropriate statutory obligation to confidentiality, and that the obligation to confidentiality of the persons entrusted with the Data Processing shall continue to apply after termination of their activity with the Contractor. The Contractor shall be liable for any infringement by the persons entrusted with the data processing, including vicarious agents, as for its own conduct.
3.3. Protective Measures of the Contractor The Contractor undertakes and warrants that it has taken and maintains all necessary measures to ensure the security of the Processing pursuant to Art. 32 GDPR or Art. 7 DPA in order to prevent unauthorized Processing, loss of or damage to Personal Data.
3.4. Support Obligations The Contractor is obligated to support the Client upon request in complying with the applicable data protection laws at any time and to the extent possible.
a. Requests and rights of data subjects The Contractor undertakes to support the Client with appropriate technical and organizational measures so that the Client can fulfill its obligation 4 to respond to requests for the exercise of the rights of data subjects set out in Chapter III of the GDPR (in particular information, access, correction and deletion, data portability, objection as well as automated decision-making in individual cases) or Art. 8 et seq. DSG within the statutory time limits at any time, and shall provide the Client with all information necessary and available to it for this purpose. If a corresponding request is addressed to the Contractor, the Contractor shall immediately forward the request to the Customer. The Contractor must leave the response to such requests to the Client, unless it is required to do so by law. In any case, the parties agree to mutually coordinate the response to such requests.
b. Further information and support obligation The Contractor undertakes to support the Client, taking into account the information available to it, in complying with the obligations set out in Art. 32 to 36 GDPR or Art. 7 DPA (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment and prior consultation).
The Contractor undertakes to notify the Client immediately in the event of (i) of any actual or suspected data protection breach (this also applies to breaches of the main contract including this contract as well as any other data protection breaches pursuant to DSGVO or DSG), stating all information available to the Contractor pursuant to Article 33 para. 3 of the GDPR, (ii) any actual or threatened impairments or deficiencies on the part of Contractor which prevent compliance with the provisions of the Main Contract, including this Contract, (iii) of the existence of any requests for access and of the actual access to personal data by public authorities, unless such notification is prohibited by law for important reasons of public interest.
3.5. Return or Deletion Obligation upon Termination of Contract The Contractor undertakes, upon termination of the Main Contract including this Contract and upon request of the Client, to return all personal data, subject to statutory retention obligations within the EU/EEA or Switzerland, to the Client at its option or to delete it without retaining a copy and to confirm the deletion to the Client accordingly. The deletion incl. Deletion of individual personal data must be made in writing with original signature. The Contractor reserves the right to consult with authorized signatories of the Client.
3.6. Control Rights of the Customer The Contractor undertakes to provide the Customer with all information necessary to demonstrate the Contractor’s compliance with this Agreement and to enable and actively support reviews, including inspections, by the Customer itself, an auditor commissioned by the Customer or by the supervisory authority. Inspections at the contractor’s premises shall be carried out without avoidable disruption to business operations.
4. place of performance of data processing
Data processing is only performed at the locations defined in the associated main contract and in the contracts of the business partners (e.g. cloud providers).
The Contractor undertakes not to transfer any personal data, even partially, to a third country without the prior written consent of the Client. Excepted from this are transfers of data necessary for the fulfillment of the order in the context of service and support requests to the cloud providers.
If the data processing activities of cloud providers are also carried out, even if only partially, outside the EU, the level of data protection is ensured by the respective provider.
5. use of subcontracted processors
The Contractor shall not be entitled to use a sub-processor without obtaining the prior written consent of the Client.
Intended changes of the subcontracted processor shall be notified to the Customer in writing in due time so that the Customer can prohibit them if necessary. The Contractor shall enter into the necessary written confidentiality and data protection agreements with the Subprocessor, which shall be at least as strict as the provisions of the Main Contract, including this Contract. In doing so, the Contractor shall in particular ensure that the Subprocessor enters into the same obligations and, in particular, also takes the technical and organizational measures that are incumbent on the Contractor under this Agreement.
The Contractor shall be liable to the Client for compliance with the obligations of the Subcontracted Processor as for its own conduct.
6. execution of additional agreements
The Contractor agrees, at the request of the Customer, to enter into further agreements with the Customer for the processing of personal data within the framework of the existing contracts, provided that the Customer reasonably deems this necessary for compliance with the applicable data protection law.
7. extraordinary right of termination
The Customer may terminate the contract at any time without notice if there is a serious breach of data protection regulations or the provisions of this contract by the Contractor, the Contractor cannot or will not carry out an instruction of the Customer or the Contractor refuses control rights of the Customer in breach of the contract. In particular, non-compliance with the obligations agreed in this Agreement and derived from Art. 28 GDPR or Art. 10a DPA shall constitute a serious breach.
8. reference to existing contracts
8.1. If any provision contained in this Agreement conflicts with the main Agreement, the provision contained in this Agreement shall prevail.
8.2. The provisions of this Agreement shall continue to apply after the termination of the Main Agreement, as long as the Contractor is in possession of personal data of the Client.
8.3. In the case of AGILITA’s own solutions and AGILITA products (e.g. apps), data processing is recorded in the corresponding solution concept and accepted accordingly when used by customers. When using the AGILITA apps, at least subaccounts, user data (last name, first name, e-mail address), user settings, configurations, database schemas, device information, user details, login details, app usage, performance and generally logs are saved and processed for the purpose of functionality.
8.4. The services are provided by the processor itself and in cooperation with the defined cloud and solution providers. Further sub-processors shall only be included by the Processor in consultation with the Client. In the event of any future need for sub-processors, the Client shall inform the Processor of the desired partner and agree to the cooperation and cross-company data processing.
9. final provisions
9.1. Amendments and supplements to this contract must be made in writing. This also applies to the waiver of this formal requirement.
9.2. Should individual provisions of this contract be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. The parties agree to replace the invalid provision with a valid provision that comes as close as possible to the economic sense and purpose of the invalid provision.
9.3. This contract is governed by Swiss law to the exclusion of the International Private Law (IPRG). The exclusive place of jurisdiction for disputes arising from this contract or in connection with the interpretation and application of this contract shall be the Contractor’s registered office.