Version: 1. September 2023
Introduction
This Data Processing Agreement (hereinafter "DPA") constitutes an integral part of the Agreement between PolitAnalytics and the Customer ("Agreement") and specifies the obligations of the Parties with regard to the requirements of the Swiss Data Protection Act (FADP) and the EU General Data Protection Regulation (GDPR). In this regard, it supplements the contractual agreements resulting from the Agreement.This DPA only applies if and to the extent that (i) the Customer is the controller within the scope of the FADP and/or the GDPR and (ii) the Customer involves PolitAnalytics under the Agreement as a processor for the processing of personal data covered by the scope of the FADP and/or the GDPR.This DPA shall remain effective as long as PolitAnalytics processes personal data on behalf of the Customer.
Definitions
The terms "controller", "processor", "personal data" and "processing" shall have the meaning given to these terms in the FADP and the GDPR (hereinafter together the "Regulation")."Data Privacy Laws" means all applicable legislation regarding the protection of personal data, including the Regulation, local laws and/or EU legislation and the decisions, advice and recommendations of the competent Supervisory Authority. ”Supervisory Authority” means the or those supervisory authority(ies) with the power to conduct supervision of processing of personal data under the Data Privacy Laws. At the effective date of the Agreement, the Federal Data Protection and Information Commissioner (FDPIC) is such an authority.
Processing of personal data
The Parties agree that the Customer is considered the controller and that PolitAnalytics is the processor under the Regulation. PolitAnalytics shall process personal data in accordance with the instructions set out in the Agreement. The Customer reserves the right to provide changed or supplemented instructions to PolitAnalytics. PolitAnalytics shall comply with these instructions, provided that they are technically feasible and objectively reasonable for PolitAnalytics within the scope of the services agreed to under the Agreement. If such instructions result in PolitAnalytics incurring additional costs or lead to a change in the scope of services, the agreed contract change procedure shall apply. PolitAnalytics shall inform the Customer promptly if it is of the opinion that an instruction contravenes the Data Privacy Laws. PolitAnalytics may in this case defer implementing the respective instruction until it has been confirmed or amended by the Customer.The Parties undertake to process personal data under this DPA in compliance with the Data Privacy Laws.The Parties shall actively collaborate in order to fulfil their reporting and/or filing obligations and, where appropriate, obtain the necessary authorizations from the competent Supervisory Authorities. PolitAnalytics may, where appropriate given the effort required, demand an adequate remuneration for supporting the Customer in this regard. The Customer shall, where appropriate, inform all individuals whose personal data is subject to data processing. The Parties shall refrain from any form of action that may cause the other Party to violate the Data Privacy Laws.
PolitAnalytics’s obligations
PolitAnalytics shall cooperate with the Customer with regard to the processing of personal data, the handling of requests from data subjects for the exercise of their rights, the compilation of any impact assessment, and in general reasonably assist the Customer to comply with its obligations under the Data Privacy Laws. PolitAnalytics undertakes to provide the Customer with all relevant and necessary information that the Customer needs to fulfill its obligations as controller or processor. PolitAnalytics may, where appropriate given the effort required, demand an adequate remuneration for supporting the Customer in this regard.PolitAnalytics warrants:to only process personal data in accordance with the Customer’s documented instructions and only to the extent necessary to fulfill its obligations under the Agreement and never process personal data for any other purposes, for example commercial purposes,that every person having access to and/or processing personal data under this DPA is bound by a confidentiality obligation and has received the necessary information for the processing of the personal data,to notify the Customer if a data subject directly contacts PolitAnalytics to exercise his/her right to access, to rectify, to delete and/or to object to the processing of personal data. PolitAnalytics shall share the request in question with the Customer as soon as PolitAnalytics becomes aware of such request, in the event that an authority, data subject or other third party requests information from PolitAnalytics regarding the processing of personal data under this DPA, PolitAnalytics must refer to the Customer as soon as possible. PolitAnalytics may only disclose personal data or information regarding the processing of personal data in accordance with the Customer’s written instructions or if PolitAnalytics is required to disclose the relevant information according to law, regulation, court or other authority's decision or stock exchange regulation,to keep records of all of categories of processing performed on behalf of the Customer in accordance with the Regulation,to inform the Customer if any contacts are initiated by the Supervisory Authority regarding the processing of personal data, to immediately notify the Customer if any change may impact the processing of personal data under the DPA,to immediately inform the Customer if, according to PolitAnalytics, an instruction constitutes a breach of Data Privacy Laws or is technically not feasible.
Technical and organisational measures
PolitAnalytics shall implement appropriate technical and organizational measures to ensure that all personal data processed under this DPA shall be appropriately protected, given their nature and the risks entailed by the processing. The measures implemented to ensure the protection of personal data shall, at a minimum, comply with what is stated in Attachment 2 (Technical and organizational measures). In the event that PolitAnalytics wishes to replace or change the technical or organizational measures for the protection of personal data, the new measures shall achieve an equivalent or higher level of confidentiality and protection.
Sub-processors
PolitAnalytics may not engage any sub-processors without the Customer’s prior consent. With regard to the sub-processors listed in Attachment 3 (Sub-processors), the Customer’s consent shall be deemed granted at the date the Agreement (and thereby this DPA) comes into force. PolitAnalytics must inform the Customer in advance if, after the Agreement (and thereby this DPA) comes into force, it engages new sub-processors or changes existing sub-processors. If there is good cause under Data Privacy Laws, the Customer may, within a period of 30 days upon receipt of PolitAnalytics’s information, provide a written objection against the engagement of a new or the change of an existing sub-processor. If there is good cause under Data Privacy Laws, and where the Parties cannot agree on an amicable solution, the Customer shall be granted a termination right in relation to the service affected hereby. Attachment 3 (Sub-processors) shall be kept updated accordingly. Personal data may only be processed by such sub-processor on the condition that PolitAnalytics has entered into a written agreement with the sub-processor in which the sub-processor is imposed equivalent obligations as PolitAnalytics is imposed to by the Customer under this DPA and guarantees to take appropriate technical and organizational measures in such way that processing of personal data is in accordance with applicable Data Privacy Laws.The Customer has the right to obtain from PolitAnalytics a copy of the contract with the sub-processors, or, if confidentiality obligations prevent PolitAnalytics from disclosing the full contract, a description of the essential elements of the contract, including a description of the obligations related to the processing of personal data.PolitAnalytics is responsible for work performed by the sub-processor, unless otherwise agreed in writing between the Parties. In case a sub-processor fails to comply with its obligations with regard to protection of personal data, PolitAnalytics shall be liable to the Customer for the performance of the sub-processor’s undertakings.
Transfers to third countries
PolitAnalytics undertakes to ensure that all processing of personal data is performed in Switzerland, a member state of the European Economic Area and/or in a country recognized as providing an adequate level of protection by the European Commission.PolitAnalytics shall ensure that no personal data is disclosed, transmitted or made available to third parties or sub-processors in a country outside Switzerland, the European Economic Area and/or to a country where, according to the European Commission, there is no adequate level of protection. Provided that PolitAnalytics has obtained the Customer's prior consent and only to the extent required to fulfil the obligations under the Agreement and this DPA, PolitAnalytics is entitled to transfer personal data outside Switzerland, the European Economic Area or outside a country recognized as providing an adequate level of protection by the European Commission, however only in the cases where PolitAnalytics has entered into such agreement with the relevant sub-processor as referred to in the decision of the European Commission dated 4 June 2021 regarding standard contractual terms for the transfer of personal data to processors established in third countries including any updates (hereinafter "Standard Terms") and PolitAnalytics warrants that the engaged sub-processors in third countries comply with the Standard Terms.
Rectification, erasure and storage of personal data
Upon the Customer's written request, PolitAnalytics undertakes to rectify, erase, delete/anonymise or restore personal data processed under this DPA, provided that this does not violate mandatory Data Privacy Laws or other applicable mandatory laws.At the termination of the Agreement, and in accordance with the Customer’s instructions, PolitAnalytics undertakes to delete/anonymise or return to the Customer all personal data, subject to mandatory Data Privacy Laws or other applicable mandatory laws preventing PolitAnalytics from completely or partially deleting/anonymising or returning the personal data. Where possible and feasible, PolitAnalytics shall anonymize or pseudo-anonymize such personal data depending on the nature of the legal obligations applicable and PolitAnalytics hereby guarantees that the confidentiality will be maintained.This section shall survive the termination or the expiry of the Agreement (and thereby this DPA) for any reason whatsoever.
Audit
Where provided by applicable mandatory Data Privacy Laws, the Customer has the right to perform audits and inspections to ensure PolitAnalytics’s compliance with its obligations under this DPA. The principle of proportionality shall be adhered to in all cases in such audits and inspections and reasonable account must be taken of the legitimate interests of PolitAnalytics (namely to confidentiality). Unless otherwise provided, the Customer shall be responsible for all costs of such audits and inspections (including proven internal costs incurred by PolitAnalytics in cooperating in the audit or inspection).
Liability
Notwithstanding any limitation of liability in the Agreement, each Party is responsible for its processing of personal data in accordance with what follows from this DPA and applicable Data Privacy Laws and shall be liable to compensate the other Party for any loss or damage due to claims from third parties or administrative fines resulting from, arising out of or relating to any breach by such first-mentioned Party of this DPA or applicable Data Privacy Laws. However, except for claims to which, according to the Regulation, no limitation applies, either Party’s total aggregate liability arising in connection with this DPA shall be limited to ten times the fees paid or payable by the Customer to PolitAnalytics according to the Agreement, during the twelve months preceding the loss or damage event.
Personal data breach
PolitAnalytics shall without undue delay notify the Customer when PolitAnalytics becomes aware of a personal data breach leading to or which is at risk of leading to, accidental or illegal destruction, loss or alteration or unauthorized disclosure or access to personal data. PolitAnalytics undertakes to perform the measures required to remedy the breaches/failures in the protection of personal data to prevent similar incidents from occurring in the future. PolitAnalytics shall remedy the breaches/failures as soon as possible and minimize the negative impact of such breaches/failures on the data subjects. PolitAnalytics shall inform the Customer in writing (e-mail sufficient) and provide a description of the personal data breach and its consequences, the measures implemented to remedy the breaches/failures and minimize the consequences for the data subjects, and the measures adopted to prevent incidents in the future. If possible, PolitAnalytics shall indicate the number of data subjects that has been impacted by the personal data breach. PolitAnalytics is aware that any breach of the Data Privacy Laws may impose obligations on the Customer, including the obligation to notify the data subject and the Supervisory Authorities of the personal data breach. PolitAnalytics undertakes to cooperate with the Customer and to assist the Customer in fulfilling such obligations.
This Attachment 1 describes the data processing performed by PolitAnalytics under the Data Processing Agreement (DPA) within the scope of the Agreement.
Details of PolitAnalytics
Contact details of PolitAnalytics (responsible recipient of instructions):
PolitAnalytics AG
Geschäftsleitung
Seefeldstrasse 123
8008 Zürich
Switzerland
[email protected]
Contact details of PolitAnalytics's data protection officer:
PolitAnalytics AG
Datenschutzbeauftragter
Seefeldstrasse 123
8008 Zürich
Switzerland[email protected]
Contact details of PolitAnalytics's data protection representative within the European Union that can be contacted by supervisory authorities and data subjects for all questions relating to EU data protection law:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
[email protected]
Data processing
General
Within the scope of the Agreement, the Customer provides PolitAnalytics, at its own discretion and on its behalf, with personal data and/or confidential data for processing purposes.
Purpose of the processing
The personal data entrusted to PolitAnalytics by the Customer and the personal data arising therefrom shall be processed exclusively for the purpose of and related to fulfilling the Agreement.
Duration of the processing
After the end of the Agreement, PolitAnalytics will retain the personal data related to the Customer for analytical purposes, as long as this is necessary for the legitimate interests pursued by PolitAnalytics. This includes ensuring the ability to track and analyze past customer behavior for the enhancement and further development of PolitAnalytics’ services. However, PolitAnalytics will take appropriate measures to ensure that the retained data is securely stored and accessible only to authorized personnel. Should data subjects request the deletion of their personal data, PolitAnalytics will promptly assess the request and, where applicable and feasible, anonymize the relevant personal data or restrict its processing in compliance with Data Privacy Laws.
Data subjects
PolitAnalytics may process personal data related to internal or external employees of the Customer as well as internal or external employees of the Customer's customers and of other suppliers or partners of the Customer.
Types of personal data
PolitAnalytics may process the following types of personal data:
Private and professional contact and identification data as well as (work) organisation data (e.g. surname, first name, gender, address, e-mail address, telephone number, mobile phone number, company, work area, department, cost centre, personnel numbers/personal identifiers, responsibilities, functions, attendance (yes/no), etc.).
Data on personal/professional circumstances and characteristics (e.g. nationality, date/place of birth, identity documents, data on spouse or children, marital status, portrait photo, honorary position, job title, professional career, tasks, activities, log file evaluation, entry and exit data, insurances, qualifications, evaluations/assessments, etc.).
Image and/or sound recordings (e.g. audio, video, photos)
Contract data (e.g. products purchased, (financial) services, date of purchase agreement, purchase price, special equipment, guarantees, etc.)
IT usage data (e.g. user ID, roles, network connection data (e.g. IP address, MAC address, IMEI, network edge data), authorisations, login times, computer name, etc.)
Payroll and time management data (e.g. payroll, special payments, garnishment, daily attendance times, reasons for absence, etc.)
Creditworthiness and banking data (e.g. IBAN, card number, payment history, balance sheets, data from credit agencies, score values, financial circumstances, account details, credit card number, etc.)
Personal data requiring special protection (e.g. political opinions, or trade union membership)
Special statutory secrecy obligations
PolitAnalytics may process personal data as an auxiliary person of the Customer, which is additionally subject to a special statutory secrecy obligation, including and not limited to:Official secrecyBank client secrecyProfessional secrecyTelecommunications secrecyFederal Act on the General Part of Social Insurance Law (ATSG)
Place of data processingPolitAnalytics primarily processs personal data in Switzerland and in countries of the European Economic Area (EEA). In certain cases, PolitAnalytics may also disclose personal data to recipients located outside of the EEA. Such recipients and the relevant countries are listed in Attachment 3 (Sub-processors).
Guarantees in the case of data processing outside the EEA
When processing personal data outside of the EEA, including countries without adequate level of data protection, PolitAnalytics ensures adequate data protection by entering into data transfer agreements with the relevant recipients which include the necessary privacy safeguards. These agreements include contracts that have been approved, issued, or recognized by the European Commission and the Federal Data Protection and Information Commissioner, known as standard contractual clauses (SCC). Such contractual arrangements can partially offset weaker or absent legal protection but may not fully eliminate all risks (such as foreign government access). In exceptional cases, transmission to countries without adequate level of protection may also be permissible for other reasons, such as based on consent, in connection with foreign legal proceedings, or when the transmission is necessary for the execution of the Agreement.
Disclosure of personal data to sub-processors (e.g. group companies, suppliers)
The third parties listed in Attachment 3 (Sub-processors) have access to and process personal data as sub-processors or personal data is brought to the attention of these third parties.
Notification of data protection breaches
PolitAnalytics will without undue delay notify the Customer when PolitAnalytics becomes aware of a personal data breach leading to or which is at risk of leading to, accidental or illegal destruction, loss or alteration or unauthorized disclosure or access to personal data. The notification will be via e-mail to the known represenatives of the Customer.
This Attachment 2 describes the technical and organisational measures which are implemented by PolitAnalytics under the Data Processing Agreement (DPA) within the scope of the Agreement to protect the personal data processed and to ensure data security appropriate to the risk (Art. 8 FADP and Art. 32 (1) EU-GDPR).
Entry control (Zutrittskontrolle)
Measures suitable for preventing unauthorised persons from entering facilities in which personal data are processed (processing facilities).PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Alarm system
Key regulation
Automatic access control system
Reception with people control
Security locks
Visitors' log
Securing the building shafts
Wearing employee / visitor badges
Video surveillance
Accompanying visitors
Burglar-resistant windows and/or security doors
Security personnel
Careful selection of cleaning staff
Access control (Zugangskontrolle)
Measures suitable for preventing the use of data processing systems (e.g. computers) by unauthorised persons. PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Login with passwords (e.g. user name and password)
Manage user permissions
Anti-Virus Software Server
Creating user profiles
Firewall
Central password assignment
Intrusion detection systems
Password policy ("Secure password")
Use VPN for remote access
General guideline "Data protection and security"
Encryption of data carriers
Manual desktop lock instructions
Automatic locking mechanisms (e.g. desktop lock)
Two-factor authentication
Access control (Zugriffskontrolle)
Measures suitable for limiting the access of persons authorised to use a data processing system exclusively to the personal data subject to their access authorisation and for preventing the reading, copying, modification or removal of personal data by unauthorised persons (including unauthorised input into the memory and unauthorised viewing, inspection, modification or deletion of stored personal data):PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Access logging
Authorisation concept
Minimum number of administrators
Safe for data storage
Management of user rights through administrators
Periodic check of the assigned authorisations
Standard process for authorisation allocation
Transfer and transmission control
Measures suitable for preventing the unauthorised reading, copying, modification or removal of personal data during electronic transmission or during its transport (incl. by means of data carriers), as well as measures for checking and determining to which entities a transmission of personal data using data transmission equipment is intended or takes place. PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Logging of accesses and retrievals
Disclosure in anonymised or pseudonymised form
Provision via encrypted connections such as sftp, https
Documentation of the data recipients
Input control
Measures suitable to enable the verification and determination of whether, by whom and when which personal data have been entered, modified or removed in data processing systems. PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Technical logging of the entry, modification and deletion/anonymisation of data
Overview of which programmes can be used to enter, change or delete which data
Manual or automated control of the logs
Traceability of entry, modification and deletion/anonymisation of data through individual user names (not user groups)
Document management
Allocation of rights to enter, change and delete data on the basis of an authorisation concept
Order control
Measures suitable to ensure that the processing of personal data by third parties (sub-processors) only takes place in accordance with the Customer's instructions. PolitAnalytics shall ensure this through the following measures:
Organisational measures
Technical logging of the entry, modification and deletion/anonymisation of data
Traceability of entry, modification and deletion/anonymisation of data through individual user names (not user groups)
Document management
Allocation of rights to enter, change and delete data on the basis of an authorisation concept
Availability control
Measures suitable to protect the personal data against accidental or deliberate destruction or loss. PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Fire and smoke detection systems
Backup & recovery concept (online/offline, on-site/off-site)
Fire extinguisher server room
Checking the backup process
Server room monitoring temperature and humidity
Regular data recovery tests and logging of results
Server room air conditioned
Storing the backup media in a safe place outside the server room
Uninterruptible power supply (UPS)
No sanitary connections in or above the server room
Protective socket strips server room
Reporting channels and emergency plan (e.g. BSI IT-Grundschutz 100-4)
Data protection safe (S60DIS, S120DIS, other suitable standards with swell seal etc.)
Multi-level backup concept with encrypted outsourcing of backups to a backup data centre
RAID system / hard disk mirroring
Security checks at infrastructure and application level
Video surveillance server room
Standard processes in the event of employee turnover/leaving
Virus protection (incl. regular updating)
Firewall (incl. regular updating)
Separability
Measures suitable to ensure the separate processing of personal data collected for different purposes. PolitAnalytics shall ensure this through the following measures:
Technical measures
Organisational measures
Separation of productive and test environment
Control via authorisation concept
Setting database rights
Review, assessment and evaluation
Establishment of procedures to regularly review, assess and evaluate the effectiveness of technical and organisational measures to ensure the security of processing.PolitAnalytics shall ensure this through the following measures:
Data protection management:
Technical measures
Organisational measures
Central documentation of all procedures and regulations on data protection with access for employees according to need / authorisation (e.g. wiki, intranet, etc.)
Internal Data Protection Officer as per Attachment 1 (Description of the data processing)
Employee training in the area of data protection and security
Regular sensitisation of employees (at least once a year)
Formalised process for handling requests from data subjects
Commitment of employees to confidentiality and data protection (incl. data secrecy)
Incident response management:
Technical measures
Organisational measures
Firewall (incl. regular updating)
Documented process for the detection and reporting of security incidents / data mishaps (also with regard to the obligation to report to the supervisory authority)
Spam filter (incl. regular updating)
Documented procedure for dealing with security incidents
Virus protection (incl. regular updating)
Formal process and responsibilities in case of security incidents and data breaches (including follow-ups)
Intrusion Detection System (IDS)
Documentation of security incidents and data breakdowns e.g. via ticket system
Intrusion Prevention System (IPS)
Data protection-friendly default settings (Privacy by Design / Privacy by Default):
Technical measures
Organisational measures
No collection of more personal data than necessary for the respective purpose
Sensitisation of employees for Privacy by Design / Privacy by Default in projects
Simple possibility to exercise the right of withdrawal by data subjects by means of technical measures
This Attachment 3 lists the sub-processors engaged by PolitAnalytics. The engagement of new sub-processors and the replacement of existing sub-processors shall be governed by the provisions of the Data Processing Agreement (DPA).
Sub-Processor
Service
Guarantee
Location
Ashby, Inc.
HR Administration
SCC/DPA
49 Geary Street, Suite 411,
San Francisco, CA, 94108 USA
Atlassian Pty. Ltd.
Project Management
SCC/DPA
Level 6, 341 George St, Sydney NSW 2000, Australia
Backbone Solutions AG
Telecommunications
DPA
Chaltenbodenstrasse 4a, 8834 Schindellegi
Switzerland
bexio AG
Business Administration (including billing)
DPA
Alte Jonastrasse 24,
8640 Rapperswil-Jona, Switzerland
Calendly
Online Appointment Scheduling
SCC/DPA
271 17th Street NW
Atlanta, GA 30363, United States
Certification AG
eSignature Functionality
DPA
Limmatquai 120,
8001 Zürich
Switzerland
Cloudflare, Inc.
Server Functionality
SCC/DPA
101 Townsend St.
San Francisco, CA 94107
USA
ConvertFox Global, Inc
Support / Chat (gist)
SCC/DPA
20280 N 59th Ave
#115-141, Glendale,
AZ 85308
USA
Dealfront Finland Oy
Website Visitor Identifier (Leadfeeder)
Adequacy decision/DPA
Keskuskatu 6 E
00100 Helsinki
Finland
Docker, Inc.
Container Functionality
SCC/DPA
3790 El Camino Real #1052, Palo Alto, CA 94306 USA
Docmosis Pty Ltd
Document Generation
SCC/DPA
Suite 8 / 5 Hasler Road, Osborne Park,
WA 6017 Australia
Flow Swiss AG
Server Functionality
DPA
Dufourstrasse 49
8008 Zürich
Google Cloud EMEA Limited
Server Functionality, Office tools
Adequacy decision/DPA
Velasco
Clanwilliam Place
Dublin 2
Ireland
Help Scout, PBC
Support / Chat
Support / ChatSCC
68 Harrison Ave Ste 605P MB 78505,
Boston MA 02111,
USA
Hubspot Inc.
CRM Functionality
Adequacy decision/DPA
HubSpot, Inc., 2nd Floor 30 North Wall Quay,
Dublin 1, Ireland
OpenCrew GmbH
Software Development and other Services
DPA
Bahnhofplatz 7
8400 Winterthur
Switzerland
Platform.sh Gmbh
Server Functionality
Adequacy
Koblenzer Str. 11
50968 Köln
Germany
SFDC IrelandLimited (Salesforce)
CRM Functionality
Adequacy
Salesforce Tower
60 R801, North Dock
Dublin, Ireland
Slack Technologies Limited
Team Communications
Adequacy decision/DPA
Salesforce Tower
60 R801, North Dock
Dublin, Ireland
The Rocket Science Group, LLC
CRM Functionality, E-Mail (Mailchimp)
SCC/DPA
675 Ponce de Leon Ave
NE Suite 5000
Atlanta, GA 30308
USA
Webflow, Inc.
Website Builder/CMS
SCC
398 11th Street
San Francisco, CA 94103
USA
Zapier
Automation Functionality
SCC/DPA
548 Market St. #62411
San Francisco, CA
94104-5401
USA