Data Processing Agreement

Provisions on the processing of Personal Data

The following provisions apply to all cases in which Webrepublic AG processes or participates in the processing of personal data (i.f. “Data” or “Personal Data”) on behalf of the customer in connection with contractual services for the customer (i.f. “Contract“). Such processing is subject to the data protection laws of Switzerland (Data Protection Act and Ordinance) and – where applicable – EU Regulation 2016/679 (General Data Protection Regulation, GDPR), as amended from time to time (together referred to as “Data Protection Law“). This DPA does not apply to customer Data which Webrepublic AG itself requires and uses within the scope of its contractual and business relationship with the customer.

 

  1. Webrepublic AG’s tasks, the categories of persons and Data concerned and the purposes of processing ensue from the Contract with the customer which describes Webrepublic AG’s services. Webrepublic AG can in particular implement specifications and settings, which may concern the treatment of Personal Data by online advertising service providers (like e.g. Google or Facebook, hereinafter ” Service Providers “) when managing advertising campaigns for the customer by means of tools provided by these Service Providers. This may concern Data such as e-mail addresses, Google/Facebook IDs, other contact data, information about preferences, customer status, demand/purchase behaviour etc. of end customers of the customers and users of online services, used by these Service Providers for the purposes of targeted online advertising for the customer. Special agreement reserved, Webrepublic AG itself receives and processes no Personal Data of end customers or online users.
  2. In this context, Webrepublic AG processes Data for its contractual services always on behalf of the customer and not for its own purposes (Data processing); in particular, by arranging the transmission of Data, instructions and analyses between the customers and the Service Providers, who process them for their advertising services for the customers. Webrepublic AG processes such Data and analyses exclusively according to the specifications of the Contract and other written instructions from the customer. Should Webrepublic AG come to the conclusion that an instruction from the customer violates the Data Protection Law, Webrepublic AG informs the customer immediately. The customer remains controller of the Data processing.
  3. The customer knows and agrees that such Service Providers process Data on behalf of the customer; regularly in a direct contractual relationship between the customer and the service provider (the customer’s own account); or via Webrepublic AG under a subcontract, where in an individual case an account of Webrepublic AG is used with the service provider. The Contract or order for the campaign determines which Service Providers these are. Webrepublic AG does not employ sub-processors without informing the customer in advance and giving him the opportunity to object. Webrepublic AG concludes agreements conforming to the requirements of the Data Protection Law with sub-processors, usually in the form of the data processing terms offered by the service provider.
  4. Should Webrepublic AG be ordered by courts or authorities to disclose processing Data of the customer, it informs the customer immediately and refers the authorities to him, where legally permissible.
  5. Webrepublic AG commits in advance all persons entrusted with Data processing to confidentiality (unless they are subject to a statutory duty of confidentiality anyhow); and this also beyond the end of their activity for Webrepublic AG.
  6. Where Webrepublic AG itself carries out processing steps at Data or gets knowledge of Data, it takes all required measures, in order to provide the security of Data processing in conformity with the Data Protection Law; namely the measures listed in the annex.
  7. Webrepublic AG maintains a record of its processing activities as a Data processor, which lists the processing operations here concerned.
  8. The customer shall inform himself about the terms of use and data protection policies by which the third-party Service Providers inform Data subjects about Data processing in their sphere; about the measures they undertake to ensure the security of such processing and about the means available there so that the customer can comply with Data subjects’ statutory rights (e.g. to information, correction, deletion and objection). If a Data subject addresses such requests to Webrepublic AG, evidently mistaking it for the controlling customer, Webrepublic AG immediately forwards them to the customer and notifies the applicant; costs incurred by Webrepublic AG due to such requests are borne by the customer. Webrepublic AG supports the customer in his compliance with the Data protection obligations concerning Data security, notification of Data breaches to the authorities and information of concerned subjects. Webrepublic AG does not hereby assume any responsibility for infringements and misconduct of the Service Providers.
  9. The customer may at any time – following adequate advance notice; without impairing the business processes of Webrepublic AG; safeguarding business secrets; and at his own expense – inspect the processing of his Data and control facilities at which Webrepublic AG processes his Data; this may also be done by third parties on his behalf. Webrepublic AG provides the customer with the necessary information, but can demand for the protection of secrets that the inspection and control is carried out by an examiner with sufficient expertise and who is bound to secrecy. Where customer Data is processed by third parties, the customer ‘s rights apply vis-à-vis these third parties in accordance with their undertakings.
  10. Webrepublic AG will after termination of the contractual services hand over, destroy or delete all Personal Data of the customer, including analyses and documents, containing such Data, unless they are still needed for legitimate reasons (e.g. to assert or defend legal claims or to comply with legal obligations).
  11. Where Webrepublic AG itself processes Data, it may, at its discretion, use infrastructures in Switzerland and/or within the EU and the EEA, which mutually recognise the adequacy of their data protection; or use cloud providers ( such as Google Drive, Amazon Cloud, etc.), which offer sufficient measures for the protection of Personal Data through EU/Switzerland US “Data Privacy Framework” certification, guarantee clauses or otherwise. For Data processing by the online advertising Service Providers used in campaigns, besides the possible consent of the data subjects, declarations and assurances by Service Providers of guarantees for processing in third countries apply.
  12. These regulations remain effective as long as Webrepublic AG provides contractual services for the customer and thereby processes Data. The right of the customer to demand restriction or cessation of processing, in whole or in part, remains unaffected. If the customer makes use of this right, Webrepublic AG is no longer obligated to the contractual services that require Data processing. Webrepublic AG’s remuneration claims remain unaffected; liability and compensation are governed by Contract, terms and conditions and statutory provisions.

 

Technical-Organisational Measures

Confidentiality

  • Physical access control: protection against unauthorized physical access to Data processing systems (keys, chip cards, alarm systems, video systems);
  • System access control: protection against unauthorized system use (passwords, automatic blocking mechanisms, two-factor authentication, encryption of data media, VPN for mobile access);
  • Data access control: No unauthorized reading, copying, modification or removal within the system (standard access profiles on a “need to know” basis, standard process for assigning access rights, logging of accesses, periodic checking of assigned access rights, in particular of administrator accounts);

Integrity

  • Entry control: Determining whether and by whom Personal Data have been entered, modified or removed in Data processing systems (logging, document management);

Availability and Resilience 

  • Reliability control: protection against accidental or deliberate destruction or loss, backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting lines and contingency plans; security checks at infrastructure and application level, standard processes in the event of employees switching or leaving;
  • Rapid recoverability (regular backups)

Regular Review, Assessment and Evaluation Procedures 

  • Data protection and security management, including regular employee training courses;
  • Incident response management;
  • Data protection by default settings.