Order Data Processing Agreement (ADV)

1. Purpose and scope

(a) Purpose of this agreement on order data processing (”ADV“) is it necessary to comply with the Swiss Federal Act on Data Protection (”DSG“) and, where applicable, to ensure further data protection laws (e.g. the European General Data Protection Regulation) (”applicable data protection laws“), with regard to each law, only if and to the extent applicable to the respective processing activity.

(b) For this agreement, the customer is the data protection law Responsible person or controller and Swissprime Technologies AG of Data processor or processor.

(c) This ADV applies to the processing of personal data as described in Appendix 1 and all terms defined in Annex 1 are defined terms in this ADV.

2. Interpretation

(a) Where terms defined in applicable data protection laws are used herein, those terms have the same meaning as in these terms.

(b) This ADV must be read and interpreted in light of the provisions of applicable data protection laws, in particular the DSG, to the extent that they are applicable.

(c) These clauses must not be interpreted in a way that is contrary to the rights and obligations provided for in applicable data protection laws or affects the fundamental rights or freedoms of data subjects.

3rd hierarchy

(a) In the event of a conflict between this ADV and the terms of any other agreement between the parties existing at the time of the agreement of this ADV or entered into thereafter, this ADV shall prevail unless otherwise expressly agreed in writing.

4. Description of processing (s)

(a) The details of the processing, in particular the categories of personal data and the purposes of processing for which the personal data are processed on behalf of the person responsible, are set out in Annex 1.

5. Obligations of the contracting parties

5.1 General

(a) The data processor only processes personal data on written instructions from the person responsible, unless he is legally obliged to do so under the law to which the data processor is subject. The person responsible may also issue subsequent instructions for the entire duration of the processing of personal data. Such instructions must always be documented.

(b) The data processor will immediately inform the person responsible if, in the opinion of the data controller, the instructions given by the data controller violate the DSG or other applicable regulations.

5.2 Earmarking

(a) The data processor may only process the personal data for the purpose (s) of processing specified in Appendix 1.

5.3 Deletion or return of data

(a) Processing by the data processor may only take place for the period specified in Appendix 1.

(b) Upon termination of the provision of personal data processing services or upon termination in accordance with Section 8, the data processor returns all personal data to the person responsible and deletes existing copies, unless applicable data protection laws or further regulations require the storage of personal data.

5.4 Processing safety

(a) The data processor takes technical and organizational measures (TOM) to ensure the security of personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized transfer or access to this data (violation of personal data protection). When assessing the appropriate level of security, he takes into account in particular the risks associated with processing, the type of personal data and the nature, scope, circumstances and purposes of processing.

(b) In the event of a personal data breach with regard to data processed by the data processor, the data controller shall immediately notify the person responsible, but at the latest within 48 hours of becoming aware of the breach. This notice includes details of a point of contact from which further information about the personal data breach can be obtained, a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data sets), its likely consequences, and the measures that have been taken or are to be taken to mitigate its potential adverse effects. If it is not possible to provide all information at the same time, the initial notification will include the information available at that time and further information will be provided without undue delay as soon as it is available.

(c) The data processor shall work in good faith with the controller and assist him in all necessary ways so that the controller is able, where appropriate, to notify the competent data protection authority and data subjects, taking into account the nature of the processing and the information available to the data controller.

(d) The data processor only grants his employees access to the data insofar as this is absolutely necessary for the execution, administration and monitoring of the contract. The data processor ensures that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to a corresponding legal obligation of confidentiality.

5.5 Documentation and Regulatory Compliance

(a) The parties must be able to demonstrate compliance with this ADV.

(b) The data processor is required to promptly and properly answer all reasonable requests from the controller relating to processing within the framework of applicable data protection laws.

(c) The data processor provides the controller with all information necessary to demonstrate compliance with the obligations set out in the applicable data protection laws and arising directly from the applicable data protection laws and, at the request of the controller, enables the verification of files and documents or audits of the processing activities covered by these clauses and contributes to this, in particular if there are signs of non-compliance.

(d) The person responsible has the choice of carrying out the audit himself, hiring an independent auditor at his own expense, or relying on an independent audit commissioned by the data processor. If the data processor commissions an audit, he must bear the costs of the independent auditor. The controller's audit, access and inspection rights under this clause are limited exclusively to the data processor's records (including records of processing activities) and do not apply to the data processor's physical premises. Any review and request for information shall be limited to the information necessary for the purposes of this ADV and shall take due account of the data processor's confidentiality obligations and his legitimate interest in protecting trade secrets.

(e) The data processor and the controller shall provide the information referred to in this clause, including the results of any audits, to the competent supervisory authority upon request, if and to the extent required under applicable data protection laws.

(f) The person responsible must reimburse the data processor for the expenses arising from the activities in accordance with above points b to d, unless the services are based on reasonable suspicion of failure to comply with applicable data protection legislation or cause unreasonable effort.

5.6 Use of sub-data processors

(a) The data processor has the consent of the person responsible for the appointment of sub-data processors (sub-suppliers). The list of the data processor's sub-processors can be found in Appendix 1. The data processor shall inform the controller in writing of any intended change to this list by adding or replacing sub-processors, at least 30 days in advance, so that the controller has the opportunity to object to these changes before instructing the relevant sub-data processor (s). Such an objection must not be unjustified. The parties keep the list up to date.

(b) If the data processor instructs a sub-data processor to carry out certain processing activities (on behalf of the controller), this is done within the framework of a contract which imposes on the sub-data processor the same obligations as the data processor in accordance with applicable data protection laws. The data processor ensures that the sub-processor complies with the obligations to which the data processor is subject under this ADV and applicable data protection laws.

(c) The data processor remains fully responsible to the person responsible for fulfilling the sub-data processor's obligations under his contract with the data processor. The data processor shall report to the controller if the sub-data processor fails to comply with its obligations under this contract.

5.7 International transfers

(a) Any transfer of data to a”third country“(any country outside Switzerland) or an international organization by the data processor may only take place if approved in accordance with Annex 1, and must be done in accordance with applicable data protection laws, to the extent applicable. Standard contractual clauses may need to be added and a data protection impact assessment carried out, resulting in additional requirements that need to be adjusted.

(b) The controller agrees that, in cases where the data processor engages a sub-data processor in accordance with clause 5.6 to perform certain processing activities (on behalf of the controller) in a third country and these processing activities include the transfer of personal data, use approved standard data protection clause to meet the requirements of applicable data protection laws, provided that the conditions for use these clauses have been met.

6. Rights of the person concerned

(a) The data processor shall immediately inform the person responsible of all requests made directly by the data subject. He does not respond to this request himself, unless he has been authorized to do so by the person responsible.

(b) The data processor supports the controller in fulfilling its obligations to respond to data subjects' requests to exercise their rights, to the extent applicable:

  1. the right to be informed when personal data is collected from the data subject,
  2. the right to be informed when personal data has not been received from the data subject,
  3. the right to information from the person concerned,
  4. the right to rectification,
  5. the right to deletion (“the right to be forgotten”),
  6. the right to restrict processing,
  7. the reporting obligation to correct or delete personal data or to restrict processing,
  8. the right to data portability,
  9. the right to file an objection
  10. the right not to be subject to a decision based exclusively on automated processing, including profiling.

(c) In addition to the data processor's obligation to assist the controller in accordance with Article 6 (b), the data processor supports the controller in complying with the following obligations, taking into account the nature of the processing and the information available to the data processor:

  1. The obligation to report a personal data breach to the competent supervisory authority immediately after becoming aware of it (unless it is unlikely that the personal data breach would result in a risk to the rights and freedoms of natural persons);
  2. the obligation to immediately notify the data subject of a personal data breach if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
  3. the obligation to carry out an assessment of the impact of the planned processing on the protection of personal data (a “data protection impact assessment”) when a type of processing is likely to involve a high risk to the rights and freedoms of natural persons;
  4. the obligation to consult the competent supervisory authority before processing if a data protection impact assessment shows that the processing would involve a high risk if the controller did not take steps to reduce the risk.

(d) The person responsible must reimburse the data processor for the expenses arising from any services on the basis of the rights mentioned above, unless the services are based on a reasonable suspicion of failure to comply with applicable data protection legislation or the effort is unreasonable.

7. Reporting of personal data protection violations

(a) In the event of a personal data breach, the data processor will work in good faith with the controller and assist him in a reasonable manner to comply with his obligations regarding data protection impact assessment, taking into account the type of processing and the information available to the data processor. Excessive expenses must be paid to the data processor.

(b) The data processor supports the person responsible in reporting the personal data breach to the competent supervisory authority, where applicable. In particular, the data processor is required to assist in obtaining the following information, which, in accordance with applicable data protection laws, such as Article 22 paragraph 2 DSG, must be provided in the controller's report:

  1. The type of personal data, including, where possible, the categories and approximate number of data subjects as well as the categories and approximate number of personal data records concerned;
  2. the likely consequences of a breach of personal data protection;
  3. the measures that the controller has taken or intends to take to remedy the personal data protection breach, including, where appropriate, measures to mitigate potential negative effects.

8. Termination

(a) Notwithstanding the provisions of applicable data protection laws, the controller may instruct the data processor to temporarily stop processing personal data until he complies with applicable data protection laws or the contract is terminated if the data processor breaches his obligations under this ADV or the corresponding legal basis. The data processor will immediately inform the person responsible if, for any reason, he is unable to comply with applicable data protection laws.

(b) The person responsible is entitled to cancel this ADV and the basic agreement if:

  1. the processing of personal data by the data processor has been temporarily suspended by the controller in accordance with point a, the breach by the data controller is significant and compliance with data protection is not restored within a reasonable period of time, but in any case within one month;
  2. The data processor is significantly or permanently breaching applicable data protection law (in particular the DSG) or its obligations under applicable data protection laws, and this breach is not expected to be remedied;
  3. the data processor fails to comply with a binding decision of a competent court or competent supervisory authority regarding its obligations under applicable data protection laws.

(c) This ADV will remain in full force as long as the agreement concluded between the parties remains in force. All provisions of this ADV that come into force or are intended to continue in force, express or implied, upon or after termination of the Personal Data Protection Agreement shall remain in full force and effect.

9. Liability and compensation

(a) Notwithstanding anything to the contrary in this ADV or any other agreement between the parties, the data processor shall, upon request, immediately indemnify the controller in full from all costs, claims, demands, expenses (including reasonable legal costs), losses, lawsuits, proceedings and liabilities of any kind made by the controller or its affiliates in connection with the failure of the data processor to comply with the provisions of this Agreement and/or applicable data protection law or third parties commissioned by him arise when processing personal data for the person responsible.

In addition, the provisions of this ADV and the Swiss Code of Obligations apply.

10. Jurisdiction and Applicable Law

The place of jurisdiction is the registered office of the person responsible. Substantive Swiss law is applicable.

11. Miscellaneous

Insofar as nothing is agreed herein, any concluded (framework) contract applies.

Purpose of Processing Execution of the agreement including supplementary documents Terms of Use and Privacy Policy (“Base Agreement”)
Duration of Processing As long as required for the Base Agreement
Categories of Data Subjects* Employees or members of the Controller
Other individuals with access rights
Categories of Personal Data Contact details (first name, last name, email), IP address, access logs
Location of Storage and Processing At the Processor’s business address and its authorized sub-processors or corresponding data centers as specified in this DPA
On-site Audits No

* Categories of personal data and data subjects are defined by the person responsible and without the intervention of the data processor. The list is given by way of example.

Sub-data processor

Service Provider Location of Processing Type of Service
Microsoft Ireland Operations Limited EU (Data transfer by Microsoft to the USA possible) Data storage
Twilio Inc. USA SMS and email services
Stripe Payments Europe, Limited USA Payment provider
Bexio Switzerland Invoicing
Schüco International Germany Support
© 2025 Schüco Germany
imprintData protectionTerms and ConditionsOrder data processing