Agreement between
the customer
– hereinafter referred to as the “Customer” –
and
IGC International Global Compagnie SA
A.I.T. by IGC S.A.
Rue Adrien-Lachenal 20
1207 Geneva
Swiss
– hereinafter referred to as the “Supplier” –
relating to the processing of personal data.
Preamble
This annex specifies the obligations of the parties relating to data protection arising from the contract concluded between the parties (General Conditions of the Supplier). It applies to all activities related to the contract in which the Customer’s personal data (hereinafter referred to as “Data”) are processed by the employees of the Supplier or a subcontractor appointed by the latter.
1 Purpose, duration and specification of the processing of personal data
(1) The terms relating to the service provided by the Supplier are detailed in the contract concluded between the Supplier and the Customer (hereinafter referred to as “Contract”); this Contract includes the General Conditions of the Supplier.
(2) The subject and duration of the order are specified in the Contract, as well as the nature and purpose of the processing, unless otherwise provided in Addendum A.
(3) The period of validity of this annex is determined by the duration of the Contract, provided that no additional obligations arise from the provisions of this annex.
2 Scope and responsibility
(1) The Supplier processes the data described in Addendum A on behalf of the Customer for the purposes and to the extent specified therein. This includes the activities specified in the Contract.
(2) Under this Contract, the Customer is solely responsible for compliance with the legal provisions on data protection, and in particular for the legality of the transfer of data to the Supplier as well as for the legality of the data processing.
(3) The instructions are initially specified in the Contract and may be subsequently modified, supplemented or replaced by the Customer by means of additional instructions, in written or electronic form (in text form), addressed to the department designated by the Supplier (instruction individual). Any instruction not provided for in the contract will be treated as a request for modification of the service. Oral instructions must be formulated in writing or in textual form as quickly as possible by the client.
3 Supplier’s obligations
(1) The Supplier may only process the data of the persons concerned within the framework of the order and the instructions of the Customer, except as provided by law. The Supplier shall immediately inform the Customer if, in its opinion, an instruction constitutes a violation of applicable laws. The Supplier may suspend the implementation of the instruction until it has been confirmed or modified by the Customer.
(2) In its area of responsibility, the Supplier will adapt the internal organization of the company to meet specific data protection requirements. He will take technical and organizational measures in accordance with legal requirements to ensure adequate protection of Customer data. The Supplier must take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of systems and services related to data processing on an ongoing basis.
These technical and organizational measures are known to the Customer, who is responsible for ensuring that they offer an adequate level of protection for the risks of the data to be processed.
(3) The measures taken by the Supplier are described in more detail in Addendum B. The technical and organizational measures are subject to technical progress and further development. In this regard, the Supplier is authorized to implement other appropriate measures, provided that the level of security provided by these measures is not lower than the previous level. Any significant change should be documented.
(4) If so agreed, the Supplier assists the Customer as far as possible in the event of requests for information and complaints from the persons concerned and in the context of compliance with data protection obligations.
(5) The Supplier guarantees that employees and other persons working for the Supplier involved in the processing of Customer data are not authorized to process data outside of the instruction. In addition, the Supplier guarantees that the persons authorized to process personal data are bound by a legal obligation of confidentiality or professional secrecy. The obligation of confidentiality or professional secrecy subsists after the execution of the order.
(6) When a personal data breach is detected by the Supplier, he immediately informs the Customer. The Supplier takes the necessary measures to secure the data and minimize any negative consequences for the persons concerned; he informs the Client as soon as possible.
(7) The Supplier provides the Customer with the following point of contact for any question relating to data protection under the Contract: the data protection officer of A.I.T. by IGC S.A.
(8) The Supplier undertakes to meet its obligations relating to data protection, to establish a procedure to periodically monitor the effectiveness of technical and organizational measures aimed at ensuring the security of processing.
The Supplier corrects or deletes the data that is the subject of the contract if the Customer requests it and this is included in the context of the instruction. If a data protection compliant erasure or a corresponding restriction of data processing is not possible, the Supplier proceeds to the data protection compliant destruction of the data carriers and other material on the basis of a mandate. individually by the Customer, or return these media to the Customer, unless otherwise agreed in the Contract.
In certain special cases to be determined by the Customer, storage, delivery, compensation and protection measures must be agreed separately, unless the contract already provides for them.
(9) The data, data carriers as well as all other documents must be handed over or deleted after the execution of the order at the request of the Customer. If additional costs result from deviating specifications in connection with the communication or erasure of data, these costs shall be borne by the Customer.
(10) In the event of a customer complaint by a data subject relating to data processing, the Supplier undertakes to assist the Customer, within the limits of its possibilities, in defending the claim in question.
(11) The services corresponding to points 3, 5, 6 (2) and 6 (3) (delivery of data carriers, contact with the persons concerned and checks, for example) must be reimbursed to the Supplier according to its hourly rates. current or based on its external expenses.
4 Obligations of the Client
(1) The Customer undertakes to inform the Supplier in detail and as soon as possible if he finds in the results of the order any errors or irregularities concerning the provisions relating to data protection.
(2) The Customer must indicate to the Supplier the person to contact for any questions relating to data protection arising under the contract; this person must be different from the contacts already indicated by the Customer.
5 Requests from data subjects
If a data subject informs the Supplier of his wish to exercise his right of access, rectification or erasure, the Supplier shall refer this person to the Customer, provided that a connection with the latter is possible according to the indications of the person concerned. The Supplier immediately transmits the request of the person concerned to the Customer. The Supplier assists the Customer on the latter’s instructions within the framework of its possibilities and to the extent agreed. The Supplier cannot be held responsible if the request of the person concerned is not answered or is the subject of an inaccurate or late response by the Customer.
6 means of proof
(1) The Supplier must be able to demonstrate to the Customer compliance with the obligations set out in this appendix by appropriate means, namely an internal audit.
(2) If, in certain individual cases, inspections by the Client or an auditor appointed by the latter prove to be necessary, they must be carried out during normal business hours without disturbing the functioning of the company, after prior notification and taking into account a reasonable period of time. The Supplier may make them subject to prior notification with a reasonable period of time and the signing of a confidentiality agreement covering the data of other customers and the technical and organizational measures put in place. If the auditor appointed by the Client is in a competitive relationship with the Supplier, the Supplier has a right of opposition against the latter.
(3) If a data protection supervisory authority or a public supervisory authority in the Member State of the Client carries out an inspection, paragraph 2 shall apply accordingly. The signing of a confidentiality agreement is not required if this supervisory authority is subject to a legal obligation of professional secrecy or confidentiality, the non-observance of which is punishable under the Criminal Code.
7 Sub-contractors (other sub-contractors)
(1) The Supplier is authorized to use subcontractors, provided that the latter themselves meet the requirements of this appendix within the framework of the subcontracting contract.
(2) The Customer accepts that the Supplier uses subcontractors as part of the execution of the order. The Supplier informs the Customer before any recourse to or replacement of a subcontractor. The Supplier is required to inform the Customer of the use of the services of a subcontractor by updating the list mentioned above. This list should be updated at least 14 days in advance. The customer will consult the list regularly. The customer may object to the change planned by the Supplier within 14 days and for important reasons. If no objection is formulated within the time limit, acceptance of the change is considered given. If there is an important reason relating to data protection, and if an amicable solution cannot be found between the parties, the Supplier has a special right of termination.
(3) A subcontract subject to approval exists from the moment the Supplier mandates other suppliers to perform all or part of the service agreed in this annex. The Supplier will enter into agreements with these third parties where appropriate to ensure that adequate privacy and information protection measures are taken. Subcontractors who do not have access to Client data or do not process Client data are excluded from this chapter and do not have to appear in the list mentioned above.
(4) If the Supplier places orders with subcontractors, it is his responsibility to transfer to the latter its obligations relating to data protection as defined in this annex.
8 Information obligations
If the Customer’s data is compromised due to seizure or confiscation, bankruptcy or insolvency proceedings or other events or measures of third parties, the Supplier must inform the Customer as soon as possible. The Supplier must immediately inform all responsible persons concerned that the sovereignty and ownership of the data belongs exclusively to the Customer as “data controller” within the meaning of the General Data Protection Regulation.
9 Liability
Liability is governed by the Contract.
10 Miscellaneous
(1) The provisions of the Contract also apply. In the event of any contradiction between the provisions of this appendix and the provisions of the Contract, this appendix shall prevail.
If such or such provision of this annex should be void, the validity of the Contract and the annex will not be affected.
(2) Addenda A and B form an integral part of this appendix.
Addendum A of the agreement relating to the processing of personal data
Purpose of the contract: Processing of the Customer’s personal data as part of its use of the Supplier’s services as Software as a Service (SaaS).
Type of personal data: The types of data depend on the data transmitted by the Customer. These are (depending on the order): Basic personal data (name, date of birth, address, employer), including contact details (telephone and e-mail, for example) Data relating to the contract, including billing and payment data History of contract data
Categories of data subjects: The types of data subjects depend on the data transmitted by the Client. They are (depending on the order): The collaborators (including candidates and former collaborators) of the Client, The clients of the Client The prospects of the Client The service providers of the Client The coordinates of the contact persons
Erasure, blocking and rectification of data: Any request for erasure, blocking and rectification must be addressed to the Customer; otherwise the provisions of the Contract apply.
Addendum B
The contract relating to the processing of order data
Technical and organizational measures (MTO)
1 Technical and organizational measures
The following technical and organizational measures (abbreviated as MTO) are essential for data processing
(1) Access control to premises and facilities:
The following measures are in place with regard to access control:
Defining security zones
Implementation of effective access protection
Definition of authorized persons
Management and documentation of personnel access authorizations over the entire life cycle
Support for visitors and external staff
Monitoring of spaces outside of closing hours
Logging of physical access
(2) System access control:
Access protection (authentication)
Simple employee authentication (by username and password) with a high level of protection
Blocking in the event of authentication failure or inactivity and the process of resetting blocked access credentials
No storage function possible for passwords and / or entering forms
Definition of authorized persons
Management and documentation of personnel authentication media and access authorizations
Automatic access blocking
Manual access blocking
Secure transmission of authentication identifiers (credentials) in the network
Access logging
(3) Data access control:
The following measures are in place with regard to data access control:
Development of an authorization concept
Implementation of access restrictions
Assignment of minimum authorizations
Management and documentation of data access authorizations
Data access logging
(4) Transport and transfer controls:
The following measures are in place with regard to the control of transfers
Secure data transfer between the server and the Client
Back-end transmission backup
Secure transmission to external systems
Implementation of secure gateways at network transmission points
Reinforcement of back-end systems
Description of all interfaces and personal data fields transmitted
Machine-to-machine authentication
Disk management (procedure)
Collection and disposal procedure
Respectful deletion / erasure procedure in compliance with data protection
(5) Control of seizures:
The following measures are in place with regard to seizure control:
Documentation of data entry authorizations
Logging of entries
(6) Control of orders:
The following measures are in place with regard to seizure control:
Documentation of data entry authorizations
Logging of entries
(7) Availability control:
The following measures are in place with regard to availability control:
Backup concept
Emergency plan
Backup storage
Control of emergency systems
(8) Principle of separation:
The following measures are in place with regard to the control of uses:
Moderation in data collection
Separate processing