Data Processing

Data Processing

General Terms and Conditions for the Processing of Personal Data in Connection with Service Contracts

Scope

In the provision of services under the applicable service contract, SwissComply AG (hereinafter referred to as SwissComply) processes personal data provided by the client for the purpose of providing services to SwissComply (“Personal Data”). These General Terms and Conditions describe the data protection obligations and rights of the parties in connection with the processing of Personal Data for the provision of services by SwissComply under the applicable service contract.

Location of Data Processing

The processing of data by SwissComply takes place in Switzerland, a member state of the European Economic Area (EEA), or a third country that ensures an adequate level of data protection. The transfer of personal data to a third country or to international organizations requires the prior consent of the client.

Scope of Processing

SwissComply processes Personal Data in good faith and in accordance with the principle of proportionality.

The processing of Personal Data by SwissComply is carried out in the manner, scope, and for the purpose of fulfilling the service contract concluded with the client.

The duration of processing corresponds to the duration of the service contract and ends upon its expiry.

Requirements for SwissComply Employees

SwissComply has obligated all employees to maintain confidentiality regarding the processing of Personal Data.

SwissComply ensures that employees who have access to Personal Data only process it on SwissComply’s instructions.

Security of Processing

SwissComply takes all appropriate technical and organizational measures necessary to ensure data security, taking into account the state of the art, the nature, scope, circumstances, and purpose of the processing of Personal Data.

Before commencing the processing of Personal Data, SwissComply must, in particular, take the necessary technical and organizational measures and maintain them throughout the duration of the service contract to ensure that the processing of Personal Data is in line with these measures.

Engagement of Subprocessors / Data Processing by Third Parties

The client hereby generally approves the engagement of subprocessors by SwissComply. The currently engaged subprocessors by SwissComply are listed in the subprocessor directory, which is an integral part of these General Terms and Conditions and can be accessed on SwissComply’s website (swisscomply.ch/subprocessors).

SwissComply informs the client of changes regarding the engagement or replacement of subprocessors. In the event of changes, SwissComply updates the above-mentioned list of subprocessors and makes it accessible on the website. The client may object to this change. If the client objects, SwissComply is prohibited from engaging the subprocessor in question for the client.

SwissComply will contractually impose the same data protection obligations on any subprocessor as those applicable to SwissComply itself.

SwissComply will, before engagement and regularly during the execution of the engagement, verify that subprocessors comply with the imposed data protection obligations and have taken appropriate technical and organizational measures.

Rights of Data Subjects

SwissComply will assist the client, as part of the applicable service contract, in fulfilling its obligation to respond to requests from individuals concerning the processing of their data.

SwissComply will, in particular:

– promptly inform the client if an individual submits a request for the exercise of their rights regarding Personal Data directly to SwissComply;

– provide the client, upon request, with all available information concerning the processing of Personal Data necessary for the client to respond to a request from an individual that the client does not have access to.

Additional Responsibilities of SwissComply

SwissComply will promptly notify the client of any breach of data security, particularly incidents that lead to the destruction, loss, alteration, unauthorized disclosure, or unauthorized access to Personal Data.

In the event that the client is obligated to notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) under Article 24 of the Swiss Data Protection Act (DPA) regarding data security breaches, SwissComply will assist the client in fulfilling its obligations upon request.

SwissComply ensures that the processing of Personal Data complies with these General Terms and Conditions and the client’s instructions.

SwissComply maintains a data processing register. Upon request, SwissComply provides the client with information about it.

Data Deletion and Return

Upon the written instruction of the client and upon termination of the service contract, SwissComply will either completely and irreversibly delete Personal Data or return it to the client, unless there is a legal obligation for SwissComply to further retain Personal Data.

Changes to the Terms

Changes to these terms may be made by SwissComply at any time, especially to comply with new legal and regulatory requirements. Such changes may be made unilaterally by SwissComply and will be communicated to the client in an appropriate manner.

Unless the client raises a written objection within one month, the changes are considered approved.

Contact

For any questions regarding personal data, you can contact us at the address provided under “Contact” at any time.