DPA - Data Processing Agreement


Version of the document: September 2023
Document ID:

1. Scope of application and contractual elements

  1. There is a contract between VSHN AG ("VSHN" or "Processor") and the customer of VSHN ("Customer" or "Controller", each individually a "Party" and together the "Parties") regarding certain IT services (the "Framework Agreement"). Within the framework of the performance of the Framework Agreement, VSHN processes personal data (the "Data") on behalf of the Customer.

  2. This data processing agreement ("DPA") regulates the processing of Customer Data by VSHN within the meaning of Art. 28 of the EU Data Protection Basic Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

2. Subject and duration of the processing operation

  1. The nature of the Data, the categories of data subjects and the duration and purposes of the processing are as follows, unless otherwise expressly provided for in the Framework Agreement:

    • Type of Data: The processed Data includes personal master data, communication data (e.g. e-mail, chat), registration data, documents and other data in electronic form, which the Processor processes for the Controller in connection with the main contractual services. The Controller guarantees that no data that is particularly worthy of protection will be transferred for processing without prior agreement.

    • Categories of data subjects: Employees, customers, suppliers and any other persons connected with the data controller, whose data the Controller transmits to the Processor under the Framework Agreement.

    • Duration and purpose: The duration of this DPA is determined by the duration of the Framework Agreement. The purpose is limited to the provision of the services under the Framework Agreement.

  2. This DPA applies exclusively to the processing of Data by the Processor and its subcontractors. If the Customer commissions the Processor to process Data on infrastructure or with software of third parties, the Customer is responsible for compliance with the data protection regulations by this third party.

3. Responsibility and instructions

  1. Within the scope of this contract, the Controller is solely responsible for compliance with the legal provisions of the data protection laws, in particular for the legality of the data transfer to the Processor and for the legality of the data processing and the instructions ('Controller' in the sense of Art. 4 Nr. 7 GDPR and Art. 5 lit f) FADP respectively).

  2. The Processor processes the Data exclusively for the purposes of the Framework Agreement and in accordance with the documented instructions of the Controller. Instructions must always be given in writing or in electronic form. Oral instructions must be confirmed immediately in writing or in text form.

  3. The Processor shall inform the Controller without delay if it considers that an instruction violates applicable laws. The Processor may suspend the implementation of the instruction until it has been confirmed or amended by the Controller.

  4. Where Data are processed pursuant to legal provisions and contrary to the instructions of the Controller, the Processor is obliged to inform the controller in advance of the processing operation concerned and of the lawfulness of the processing, unless this is contrary to an important public interest.

4. Duties of the Controller

  1. The Controller is responsible for assessing the permissibility of the data processing and for safeguarding the rights of the data subjects. The Controller guarantees that the processing of the Data by the Processor in accordance with this DPA and the instructions does not violate any applicable legal provisions.

  2. The Controller shall inform the Processor without delay if it discovers errors or irregularities when examining the order processing.

  3. The Controller is obliged to treat as confidential all knowledge of business secrets of the Processor obtained within the scope of the contractual relationship.

  4. The Controller is obliged to document his instructions to the Processor.

5. Technical and organisational measures

  1. The Processor shall ensure that the persons authorised to process the Data (e.g. employees, subcontractors, etc.) have contractually undertaken to maintain confidentiality and security or are subject to an appropriate legal obligation of confidentiality and security.

  2. Within his area of responsibility, the Processor will design the internal organisation in such a way that it meets the special requirements of data protection. The Processor shall take appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and capacity of the systems and services in connection with the processing in the long term and which meet the requirements of the GDPR and the FADP.

  3. The current technical and organisational measures and the procedure for reviewing, assessing and evaluating their effectiveness are described in Appendix 1. The Controller is aware of these technical and organisational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the Data to be processed.

  4. The Processor may adapt the measures in the course of the contractual relationship to technical and organisational developments - but these must not fall below the agreed standards.

6. Subcontracting, teleworking and place of processing

  1. Contracts with subcontractors for the processing of the Personal Data covered by the contract may only be awarded with the prior written consent (including text form) of the Controller.

  2. The Controller hereby grants the Processor general authorization to use subcontractors in accordance with the provisions of this DPA. The Processor’s existing subcontractors can be found under www.vshn.ch/en/partners/technology-partners/. The Processor shall inform the Controller of any intended change with respect to the use or replacement of other subcontractors in an appropriate manner and within a reasonable period of time. The Controller may object to the change for good cause within 30 days. The objection must be made in writing and must include the specific reasons for the objection and, if applicable, opportunities for compromise. Any further outsourcing by the subcontractor requires the express consent of the person responsible (at least in text form).

  3. The Processor is obliged to impose on authorized subcontractors data protection obligations fundamentally comparable to those contained in this Agreement before Personal Data of the Controller are processed by the subcontractor.

  4. For the purposes of this provision, subcontractors are those service providers whose services are directly related to the provision of the main service under the Framework Agreement and concern the processing of Data. This does not include ancillary services which the Processor uses, e.g. as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, in order to guarantee the data protection and data security of the Data of the data controller, the Processor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure that the Data of the Controller is protected, even in the case of outsourced ancillary services.

  5. The Processor or its subcontractors process the data primarily in Switzerland, Canada (British Columbia) and the European Economic Area. The Controller agrees that the data may also be processed outside of Switzerland, Canada and the European Economic Area, provided that the Processor ensures that the conditions for transferring the data to third countries in accordance with the DPA are met and the Controller is informed in advance of the export of data. The Processor shall provide proof of compliance on request.

  6. Employees of the Processor may also process the data in private homes as part of teleworking, provided that appropriate measures have been taken. The Controller authorises the processing of such Data only if the necessary data protection and data security measures are in place. If Data of the Controller are processed in a private apartment, access to the apartment for the purpose of order control must be agreed with the Controller in advance. The Processor assures that all residents of these private apartments agree with this provision.

7. Notification and support obligations of the Processor

  1. The Processor shall provide appropriate support to the Controller in fulfilling the requests and claims of affected persons in accordance with Chapter III of the GDPR and Chapter IV and V of the FADP respectively and in complying with the obligations set out in Art. 33 to 36 GDPR and Art. 19 to 24 FADP respectively. In principle, the Controller is responsible for implementing the rights of data subjects. The Processor implements the documented instructions of the Controller with regard to the deletion concept, the rights to be forgotten, correction, data portability and information. The Controller shall pay the processor a reasonable fee for the implementation, unless this is expressly included in the services under the Framework Agreement.

  2. The Processor shall forward any requests from data subjects to the Controller if the request can be attributed to the Controller.

  3. The Processor shall immediately inform the Controller if it becomes aware of any breaches of the protection of the Controller’s Data.

8. Evidence of compliance

  1. The Processor shall provide the Controller with appropriate evidence of compliance with the obligations laid down in this contract by any appropriate means.

  2. If, in individual cases, inspections by the Controller or an auditor appointed by him are necessary, these will be carried out during normal business hours without disrupting operations after notification, subject to an appropriate lead time. The inspection must take appropriate account of justified confidentiality interests and legal and contractual confidentiality obligations. Prior to the audit, the auditing persons must sign a confidentiality agreement with regard to the data of the Processor as well as other customers and the technical and organisational measures set up.

  3. All costs of the Processor (including those for the employee to be provided) are to be borne by the Controller.

9. Post-contractual obligations

Upon completion of the contractually agreed work or earlier upon request by the Controller - at the latest upon termination of the service agreement - the Processor shall hand over to the Controller all Personal Data in its possession that are connected with the contractual relationship or, with prior consent, destroy them in accordance with data protection regulations or anonymize them completely. The same applies to test and defective material. The protocol of the deletion must be presented on request.

10. Liability and compensation

  1. The Controller and the Processor are liable to the data subjects in accordance with the provisions of Art. 82 GDPR and the FADP respectively. However, in the internal relationship between the Parties, the Processor shall be liable for the damage caused by a processing operation only if (i) he has not complied with its obligations specifically imposed on it by the DPA, or (ii) it has acted in breach of or contrary to the lawful instructions of the Controller.

  2. Furthermore, the limitations of liability according to the Framework Agreement shall apply.

11. Final provisions

  1. VSHN reserves the right to adapt this DPA at any time and will inform the customers in advance of the changes in a suitable manner (also in electronic form). Amendments or additions to this DPA shall become an integral part of the contract if the Customer does not object within 30 days of becoming aware of the amended provisions.

  2. Should one or more provisions of this DPA or the remaining contract be or become invalid, ineffective or void, such provision shall be replaced by a valid and effective provision that comes closest to the meaning of the original provision and corresponds to the economic balance of the Parties.

  3. The present contract and all disputes arising from it are subject exclusively to substantive Swiss law, excluding the conflict of laws provisions and the UN Convention on Contracts for the International Sale of Goods. Exclusive place of jurisdiction is Zurich.