Controller to Processor Agreement
(Data Processing Agreement)
This agreement is part of HORISEN’s Framework Agreement for its Services and is entered on Effective Date into by and between
HORISEN AG, a company organised and existing under the laws of Switzerland, having its registered office at Hauptstrasse 65, 9400 Rorschach, Switzerland,
hereinafter referred to as “DATA PROCESSOR”
the other signing contracting party of the Framework Agreement,
hereinafter referred to as “DATA CONTROLLER”.
Both hereinafter referred to as the “Parties”.
The following terms are defined in addition to the definitions of the Agreement, and those terms shall have the meaning given to them under GDPR, and particularly:
APPLICABLE LAW(S)in this Agreement means: each legislation applicable to each party hereto (including regulation and Data Protection Legislation for the avoidance of any doubt).
Data Controllermeans an entity (legal person under this agreement) which determines the purposes and means of the processing of personal data.
Data Processormeans an entity (legal person under this agreement) which processes personal data on behalf of the controller.
Data Protection Officer (DPO)means a natural person who ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data.
Data Subjectmeans the identified or identifiable natural person to whom Personal Data relates as defined by Data Protection Laws and Regulations.
GDPRmeans the EU General Data Protection Regulation (EU) 2016/679, which is a regulation in EU law on data protection and privacy for all individuals within the European Union. It replaces the prior Data Protection Directive (95/46/EC) of 1995.
Personal Datameans any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processingmeans any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Sub-Contractormeans companies currently engaged by DATA PROCESSOR which are listed at sub-contractors.
Sub-Processormeans a third party engaged by DATA PROCESSOR that is processing DATA CONTROLLER’s PERSONAL DATA for a specific purpose.
Party(ies)means the entity signing this Agreement.
HORISEN Groupmeans an economic entity formed of a set of companies which are listed at horisen-group.
DATA CONTROLLER and DATA PROCESSOR signed a Framework Agreement for the Provision of «horisen.pro» Services (‘’Framework Agreement’’) pursuant to which the DATA PROCESSOR must perform Services as may be ordered by DATA CONTROLLER.
In order to fulfill the requirements of the Data Protection Legislation pertaining to the Framework Agreement, the Parties now wish to additionally enter into this Controller-to-Processor Agreement (“Agreement”).
The construction of the capitalized terms used in this Agreement are to be primarily construed as defined in the Framework Agreement and if not capitalized herein or not defined in the Framework Agreement or in this Agreement, with the meaning that could be reasonably attributed to those terms by the Parties.
The DATA CONTROLLER processes its PERSONAL DATA as well as PERSONAL DATA of other entities of the DATA CONTROLLER group of companies.
The DATA CONTROLLER wishes to outsource to the DATA PROCESSOR certain processing procedures with respect to such PERSONAL DATA and the DATA PROCESSOR is willing to supply such processing services to the DATA CONTROLLER on the terms and conditions contained in this Agreement.
The signature of this Agreement does not create any obligation to transfer any processing activity from the DATA CONTROLLER or any DATA CONTROLLER Company to the DATA PROCESSOR. The signature of any Order pursuant to the Framework Agreement may trigger the processing of PERSONAL DATA by DATA PROCESSOR in which case such activities shall be governed by this Agreement and the applicable terms and conditions of the Framework Agreement.
This Agreement is incorporated into the Framework Agreement and the Framework Agreement shall fully apply to and prevail over this Agreement unless a term or condition of this Agreement expressly deviates from the Framework Agreement in which case such deviating term or condition shall apply for this Agreement only.
NOW IT IS AGREED as follows
For the avoidance of any doubt, the recitals of this Agreement are part of this Agreement.
Any breach of this Agreement by DATA PROCESSOR shall be construed as a material breach of the Framework Agreement, and liability (if any) of the DATA PROCESSOR shall be governed by the terms and conditions of the Framework Agreement.
The DATA CONTROLLER and the DATA PROCESSOR each must comply at all times with applicable Laws and the provisions of this Agreement.
Nature and Purpose of the PERSONAL DATA PROCESSING
1.1 PROCESSING of the PERSONAL DATA consists of storing of the PERSONAL DATA, its processing for the purpose of providing Services defined in the Framework Agreement and processing for the purpose of providing the Support based on the other Party’s request.
1.2 The purposes for which the PERSONAL DATA shall be processed is for providing services to DATA CONTROLLER, related to horisen.pro platform including all applications and services, which are determined by Framework Agreement.
1.3 PERSONAL DATA that DATA PROCESSOR processes for the purpose of providing Services defined in the Framework Agreement are deemed confidential, in accordance with the Confidentiality and Non-disclosure Agreement signed by both Parties.
Rights and Obligations of the DATA CONTROLLER
2.1 The DATA CONTROLLER has the right and obligation to make decisions about the purposes and means of the PROCESSING of PERSONAL DATA.
2.2 The DATA CONTROLLER shall be responsible, among other, to ensure that the PROCESSING of PERSONAL DATA, which the DATA PROCESSOR is instructed to perform, has a legal basis.
2.3 The DATA CONTROLLER shall be responsible for ensuring that the PROCESSING of PERSONAL DATA takes place in compliance with the APPLICABLE LAWS.
2.4 The DATA CONTROLLER shall transfer to the DATA PROCESSOR only PERSONAL DATA obtained in compliance with the relevant provisions of the applicable Data Protection Legislation for the purposes stated in this Agreement.
2.5 The DATA CONTROLLER shall keep up to date and correct all PERSONAL DATA transferred to the DATA PROCESSOR whenever required in particular as set out by the relevant provisions of the applicable Data Protection Legislation.
2.6 The DATA CONTROLLER is solely obliged to provide DATA SUBJECTS with all information and explanations as required under APPLICABLE LAWS. As between DATA PROCESSOR and DATA CONTROLLER, the DATA CONTROLLER is also solely responsible for dealing with DATA SUBJECTS in relation to their rights to access their respective data in accordance with APPLICABLE LAWS.
Obligations of the DATA PROCESSOR
3.1 The DATA PROCESSOR shall process the PERSONAL DATA on behalf of the DATA CONTROLLER pursuant to the written instructions of the DATA CONTROLLER in accordance with APPLICABLE LAWS and the terms and conditions set forth in the Agreement.
3.2 The DATA PROCESSOR shall correct, modify, block or erase (as instructed by the DATA CONTROLLER) any PERSONAL DATA processed by DATA PROCESSOR in case it is not possible for the DATA CONTROLLER to do so.
3.3 The DATA PROCESSOR warrants and represents that it has implemented (and shall maintain during the term of this Agreement and as long as required by Laws) the technical and organizational security measures for the protection of PERSONAL DATA before processing the PERSONAL DATA which are transferred, and additional security measures as mutually agreed by the DATA PROCESSOR and the DATA CONTROLLER in an Order. DATA PROCESSOR has been adopting security measures. All of organizational and technical measures are applied in accordance with appropriate information security (e.g. ISO 27001) practices and GDPR requirements.
3.4 The DATA PROCESSOR shall not less than once per calendar year test implemented measures.
3.5 In order to ensure compliance with such security measures, the DATA PROCESSOR shall permit the DATA CONTROLLER to conduct periodic inspections of its premises and the implemented security measures during usual business hours. The DATA CONTROLLER shall provide the DATA PROCESSOR with reasonable (but in no event less than thirty  days) advance notice of each inspection.
3.6 The DATA PROCESSOR must ensure that its personnel engaged in the processing of PERSONAL DATA comply and shall comply at all times with the data secrecy requirements.
3.7 The DATA PROCESSOR shall only allow access to the PERSONAL DATA to its staff or consultants where and to the extent that such access is required for the performance of the Services and subject to such staff and consultants having entered into an adequate non-disclosure agreement.
3.8 In the event that the DATA PROCESSOR shall discover that the DATA CONTROLLER is in breach of any of its obligations provided by the relevant Data Protection Legislation, the DATA PROCESSOR shall without delay notify the DATA CONTROLLER of this fact and suspend the performance of the suspected infringing processing until such time as the breach is remedied.
3.9 The DATA PROCESSOR undertakes to inform the DATA CONTROLLER without delay about any complaints, requests or other communications received by it from data subjects, data protection regulator(s) or third parties related to the processing of PERSONAL DATA by the DATA PROCESSOR and/or the DATA CONTROLLER.
3.10 The DATA PROCESSOR shall immediately inform the DATA CONTROLLER if instructions given by the DATA CONTROLLER, in the opinion of the DATA PROCESSOR, contravene the APPLICABLE LAWS.
3.11 The DATA PROCESSOR must comply with this Agreement at all times.
Assistance to the DATA CONTROLLER
4.1 Taking into account the nature of the PROCESSING, the DATA PROCESSOR shall assist the DATA CONTROLLER in the fulfilment of the DATA CONTROLLER’s obligations to respond to requests for exercising the DATA SUBJECT’s rights laid in the APPLICABLE LAWS.
4.2 The DATA PROCESSOR shall assist the DATA CONTROLLER in ensuring compliance with:
a) the DATA CONTROLLER’s obligation to, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the PERSONAL DATA BREACH to the competent supervisory authority, unless the PERSONAL DATA BREACH is unlikely to result in a risk to the rights and freedoms of natural persons;
b) the DATA CONTROLLER’s obligation to without undue delay communicate PERSONAL DATA BREACH to the DATA SUBJECT, when the PERSONAL DATA BREACH is likely to result in a high risk to the rights and freedoms of DATA SUBJECT;
c) the DATA CONTROLLER’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of PERSONAL DATA (a data protection impact assessment).
PERSONAL DATA BREACHES and Reporting Procedures
5.1 The DATA PROCESSOR is under a strict obligation to immediately notify the DATA CONTROLLER of any PERSONAL DATA BREACH and no later than within 24 hours of the DATA PROCESSOR becoming aware of the breach, to enable the DATA CONTROLLER to comply with the DATA CONTROLLER’s obligation to notify the PERSONAL DATA BREACH to competent supervisory authority.
5.2 The DATA CONTROLLER is under obligation to without due delay communicate the PERSONAL DATA Breach to the DATA SUBJECT, when the PERSONAL DATA BREACH is likely to result in a high risk to the rights and freedoms of DATA SUBJECT.
5.3 The DATA PROCESSOR agrees to provide any reasonable assistance as is required by the DATA CONTROLLER or the Data Protection Authority to facilitate the handling of any PERSONAL DATA BREACH in an expeditious and compliant manner.
5.4 In respect of any PERSONAL DATA BREACH, DATA PROCESSOR shall provide the following details regarding the PERSONAL DATA BREACH to the DATA CONTROLLER:
a) the description of the nature of the PERSONAL DATA BREACH including, where possible, the categories and approximate number of DATA SUBJECTS concerned as well as categories and an estimated number of PERSONAL DATA records concerned;
b) name and contact details of the DATA PROTECTION OFFICER or other contact point for further relevant inquires;
c) the description of the likely consequences of the PERSONAL DATA BREACH;
d) the description of the measures taken or proposed to be taken to address the PERSONAL DATA BREACH, including, where appropriate, measures to mitigate its possible adverse effects.
Retention Period and Liquidation of PERSONAL DATA
6.1 The PERSONAL DATA shall be retained by the DATA PROCESSOR in order to perform the Services for the time periods as defined by DATA CONTROLLER and in any case no longer than what is strictly necessary for the DATA PROCESSOR to (i) process the PERSONAL DATA in line with this Agreement or (ii) as the case may be, to meet any of its legal obligations (in particular statutory archival and retention obligations).
6.2 Subject to any legal obligations or request from DATA CONTROLLER to archive or retain PERSONAL DATA, at the request of the DATA CONTROLLER, the DATA PROCESSOR shall carry out the liquidation of any or all the PERSONAL DATA without undue delay after all the specific purposes for which the PERSONAL DATA were processed cease to exist or upon receipt of a written request of the DATA CONTROLLER.
6.3On the instructions of the DATA CONTROLLER, the DATA PROCESSOR shall ensure that the PERSONAL DATA processed under this Agreement are returned to the DATA CONTROLLER or destroyed in accordance with the DATA CONTROLLER’S instructions. If those instructions are not in contradiction with APPLICABLE LAWS. The DATA CONTROLLER reserves the right to issue instructions to the DATA PROCESSOR under this Clause at any time. In case, that instructions are not in accordance with APPLICABLE LAWS, APPLICABLE LAWS shall prevail.
6.4 Following the deletion of PERSONAL DATA under this clause, the DATA PROCESSOR shall notify the DATA CONTROLLER that the PERSONAL DATA in question has been deleted. Where applicable, the DATA PROCESSOR shall also provide confirmation that the PERSONAL DATA has been destroyed in accordance with any instructions issued by the DATA CONTROLLER, if those instructions are not in contradiction with APPLICABLE LAWS. In case, that instructions are not in accordance with APPLICABLE LAWS, APPLICABLE LAWS shall prevail.
7.1 The DATA PROCESSOR agrees to maintain records of all PERSONAL DATA processed under the Agreement and its processing activities. The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this clause at any time, with reasonable (but in no event less than 30 days) advance notice of each inspection.
7.2 If DATA SUBJECT in any case requires information from DATA CONTROLER on subject of what type of that subject’s PERSONAL DATA is being processed under this Agreement, and if DATA CONTROLER is not able to provide this type of information without DATA PROCESSOR’s help, DATA PROCESSOR is obliged to provide any reasonable help.
7.3 The records shall be in writing, including in electronic form.
7.4 The DATA CONTROLLER or DATA PROCESSOR and, where applicable, the DATA CONTROLLER’s or the DATA PROCESSOR’s representative, shall make the record available to the supervisory authority on request.
7.5 The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this clause at any time, with reasonable (but in no event less than 30 days) advance notice of each inspection.
7.6 If DATA SUBJECT in any case requires information from DATA CONTROLLER on subject of what type of that subject’s PERSONAL DATA is being processed under this Agreement, and if DATA CONTROLLER is not able to provide this type of information without DATA PROCESSOR’s help, DATA PROCESSOR is obliged to provide any reasonable help.
8.1 The DATA PROCESSOR shall only grant access to the PERSONAL DATA being processed on behalf of the DATA CONTROLLER to persons under the DATA PROCESSOR’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this periodic review, such access to PERSONAL DATA can be withdrawn, if access is no longer necessary and PERSONAL DATA shall consequently not be accessible anymore to those persons.
8.2 The DATA PROCESSOR shall at the request of the DATA CONTROLLER demonstrate that the concerned persons under the DATA PROCESSOR’s authority are subject to the above-mentioned confidentiality.
9.1 In order to provide services, to the standard required by the client (DATA CONTROLLER) as agreed in the Framework Agreement, DATA PROCESSOR might engage companies from HORISEN GROUP. All members of HORISEN GROUP have the same information security policies and procedures established in accordance with ISO 27001 standard and data protection policies and procedures in accordance with GDPR requirements. By signing this agreement DATA CONTROLLER agrees that other members of HORISEN GROUP are considered as SUB-PROCESSORS.
9.2 By signing this Agreement DATA CONTROLLER agrees that DATA PROCESSOR may at any time engage another processor, which should be considered as a SUB-PROCESSOR, but in that case DATA CONTROLLER have to be informed by DATA PROCESSOR about addition or replacement of SUB-PROCESSORS. DATA PROCESSOR should make sure there is signed Data Processing Agreement, between DATA PROCESSOR and SUB-PROCESSOR, in place and that any engaged SUB-PROCESSOR at least complies with the obligations to which the DATA PROCESSOR is subject pursuant to this Data Processing Agreement and the applicable legislation. DATA CONTROLLER reserves the right to object to these changes. DATA PROCESSOR reserves the right to engage telecom provider or third-party telecom supplier for providing services that require their engagement (e.g. SMS or voice traffic).
9.3 DATA PROCESSOR shall store PERSONAL DATA originating from and sent to a country located in the EU/EEA or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross-border transfer of PERSONAL DATA from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless it is requested specifically by DATA CONTROLLER.
DATA CONTROLLER’s Rights to monitor and audit DATA PROCESSOR
10.1 In addition to the monitoring and/or audit rights set out in the Agreement, the DATA CONTROLLER is entitled to proceed to any and all verifications (including on the DATA PROCESSOR’s site(s)) during usual business hours provided the DATA CONTROLLER gives reasonable (but in any event no less than 30 days’) prior written notice to the DATA PROCESSOR.
10.2 The DATA PROCESSOR shall duly and promptly cooperate with the DATA CONTROLLER, upon request of the DATA CONTROLLER, by giving access to all the documents, infrastructures, premises, information and/or staff reasonably required by the DATA CONTROLLER to ensure such Data Processing is compliant with this Agreement.
10.3 The costs and consequences of the monitoring and audits shall be borne by the DATA CONTROLLER including support costs.
Transfer of data
11.1 Any transfer of PERSONAL DATA by the DATA PROCESSOR shall be performed only within the companies belonging to the HORISEN GROUP and only for the purpose of providing the services defined in the Framework Agreement.
11.2 Transfer of PERSONAL DATA shall be made only upon DATA CONTROLLER’s request for the purpose of providing it the requested Support.
12.1 Any notice or other communication which is given under this Agreement to a Party will be addressed and sent to that Party at the address as specified in this Agreement, or at any other address as otherwise notified to the other Party (including for the avoidance of doubt in a Statement of Work).
12.2 For data privacy and security related questions and concerns DATA CONTROLLER should contact DATA PROCESSORS’s DPO.
12.3 The specified address, telephone number and email address for each Party for the purposes of this Clause are listed on the first page of this Agreement.
Changes to Applicable Law
13.1 In case the applicable data protection and applicable laws change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties will amend the Agreement. In such circumstances, the DATA PROCESSOR agrees to implement any changes to its processing activities as are necessary to comply with the amended terms of the Agreement.
14.1 This Agreement is entered into as of its Effective Date and for the whole term of the Agreement. For the avoidance of any doubt, it will follow the term of the Agreement and shall be automatically terminated whenever the Agreement is terminated or expired. Termination or expiry of this Agreement shall not terminate the Agreement.
14.2 In addition, the DATA CONTROLLER may terminate this Agreement with a 30 days prior notice to the DATA PROCESSOR without any termination fees or penalty.
14.3 This Agreement constitutes the entire agreement between the Parties with respect to the subject matter contained herein.
14.4 This Agreement may be altered or supplemented only in writing and provided any such amendment is signed by the duly authorized representatives of both Parties.
14.5 If any provision of this Agreement is held invalid, illegal, or unenforceable for any reason, such provision shall be severed, and the remainder of the provisions hereof shall continue in full force and effect as if this Agreement has been executed with the invalid, illegal or unenforceable provision eliminated and the Parties shall rapidly discuss and amend the Agreement with a valid, legal and enforceable provision.
14.6 DATA CONTROLLER may modify this Agreement at all times upon written notice to DATA PROCESSOR and such changes shall be effective and applicable to both Parties as indicated in such written notice.
14.7 This Agreement is governed by the laws of Switzerland and GDPR, without regard to their conflicts of law principles.
Last update: 30th of December, 2021.