Preamble

This annex specifies the obligations of the contracting parties regarding data pro- tection, which result from the contract concluded between the parties (general terms and conditions of the provider). It applies to all activities that are related to the contract and in which employees of the provider or those commissioned by the provider process personal data (hereinafter “data”) of the client.

1. Subject, duration and specification of order processing

1.1 Details regarding the service of the provider are regulated in the respective contract between the provider and the client (hereinafter referred to as the “contract”). This contract consists of the general terms and conditions of the pro- vider.

1.2 The subject matter and duration of the order as well as the type and purpose of processing result from the contract, unless otherwise stated in Appendix A.

1.3 The term of this annex is based on the term of the contract, unless the provi- sions of this annex result in additional obligations.

2. Scope and responsibility

2.1 The provider processes the data specified in Appendix A on behalf of the client for the stated purpose to the extent specified. This includes activities that are specified in the contract.

2.2 Within the framework of this contract, the client is solely responsible for com- pliance with the legal provisions of data protection laws, in particular for the le- gality of data transfer to the provider and for the legality of data processing.

2.3 The instructions are initially set out in the contract and can then be changed, supplemented or replaced by the client in writing or in an electronic format (text form) at the point designated by the provider with individual instructions (indi- vidual instruction). Instructions that are not provided for in the contract are treated as a request for a change in service. Verbal instructions must be imme- diately made up in writing or in text form by the client.

3. Obligations of the provider

3.1 The provider may only process data from data subjects within the framework of the order and the instructions of the client; unless there is a legally regulated exception. The provider informs the client immediately if he believes that an in- struction violates applicable laws. The provider may suspend the implementa- tion of the instruction until it has been confirmed or changed by the client.

3.2 In its area of responsibility, the provider will design the internal organization so that it meets the special requirements of data protection. He will take tech- nical and organizational measures to adequately protect the data of the client that meet the respective legal requirements. The provider must take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term. The client is aware of these technical and organizational measures and is responsible for ensuring that they offer an adequate level of protection against the risks of the data to be processed.

3.3 The measures taken by the provider are described in more detail in Appendix.

The technical and organizational measures are subject to technical progress and further development. In this respect, the provider is allowed to implement alternative adequate measures. The security level of the defined measures must not be undercut. Significant changes must be documented.

3.4 As far as agreed, the provider supports the client to the extent possible to fulfill the inquiries and claims of data subjects and to comply with data protec- tion obligations.

3.5 The provider guarantees that the employees involved in processing the cus- tomer’s data and other persons working for the provider are prohibited from processing the data outside of the instructions. Furthermore, the provider guar- antees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation to maintain confidentiality. The duty of confidentiality / confidentiality continues even after the end of the order.

3.6 The provider will inform the client immediately if he becomes aware of viola- tions of the client’s personal data protection. The provider takes the necessary measures to secure the data and mitigate the possible adverse consequences of the data subjects and immediately agrees with the client.

3.7 The provider gives the client the following contact for data protection questions arising under the contract: datenschutz@comitas.ch

3.8 The provider guarantees to comply with its respective data protection obliga- tions to use a procedure for regularly checking the effectiveness of the technical and organizational measures to ensure the security of processing. The provider corrects or deletes the contractual data if the client instructs it and this is in- cluded in the framework. If a data protection-compliant deletion or a corre- sponding restriction of the data processing is not possible, the provider takes over the data protection-compliant destruction of data carriers and other mate- rials on the basis of an individual order by the customer or returns these data carriers to the customer, unless otherwise agreed in the contract. In special cases to be determined by the client, storage or handover, remuneration and protec- tive measures are to be agreed separately, unless otherwise agreed in the con- tract.

3.9 Data, data carriers and all other materials must either be released or deleted at the request of the client after the order has ended. If additional costs arise due to deviating specifications when the data is released or deleted, the client bears these.

3.10 In the event of a claim against the client by a data subject in connection with the order processing, the provider undertakes to support the client in defending the claim within the scope of his options.

3.11 The Provider shall be remunerated for services pursuant to Sections 3, 5, 6(2) and 6(3) (e.g. disclosure of data subjects, contacting data subjects, audits) in accordance with its current hourly rates or external expenses.

4. Obligations of the client

4.1 The client has to inform the provider immediately and completely if he finds errors or irregularities in the data protection regulations in the order results.

4.2 The client gives the provider the contact person for data protection questions arising in the context of the contract, insofar as this differs from the contacts already named by the client.

4.3 Services according to numbers 3, 5, 6 (2) and 6 (3) (e.g. surrender of data car- riers, addressing those affected, examinations) are to be paid to the provider according to his current hourly rates or external expenses.

5. Inquiries from data subjects

5.1 If a data subject contacts the provider with requests for correction, deletion or information, the provider will refer the data subject to the client, provided that an assignment to the client is possible according to the data subject. The pro- vider supports the client as far as agreed upon within the scope of his options. The provider is not liable if the request of the person concerned by the client is not answered correctly or not on time.

6. Detection options

6.1 The provider demonstrates to the client that he has complied with the obliga- tions laid down in this appendix using suitable means. This is done through a self- audit and / or certification according to ISO 27001.

6.2 If inspections by the client or an inspector commissioned by the client are re- quired in individual cases, these will be carried out during normal business hours without disrupting the operational sequence after registration, taking into ac- count a reasonable lead time. The provider may make this dependent on the previous registration with a reasonable lead time and on the signing of a confi- dentiality agreement with regard to the data of other customers and the tech- nical and organizational measures implemented. If the auditor commissioned by the client is in a competitive relationship with the provider, the provider has the right to object to this.

6.3 Should a data protection supervisory authority or other sovereign supervisory authority of the client carry out an inspection, paragraph 2 applies in principle. It is not necessary to sign a confidentiality obligation if this supervisory authority is subject to professional or legal secrecy in which an infringement is punishable under the Criminal Code.

7. Subcontractors (further processors)

7.1 The subcontractor may be commissioned by the provider, provided that the subcontract in turn fulfills the requirements of the present system.

7.2 The client agrees that the provider engages subcontractors. The provider in- forms the client before engaging or replacing the subcontractors. The provider is obliged to inform the client about the assignment of a subcontractor by up- dating the overview. The overview must be updated at least 14 days in advance. The client will regularly see the overview. The client can change the – within these 14 days – for important Reason – contradict the provider. If there is no objection within the period, the consent to the change is deemed to be given. If there is an important data pro- tection law reason, and if a mutually acceptable solution between the parties is not possible, the provider is granted a special right of termination.

7.3 A subcontractor relationship requiring approval exists if the provider commis- sions other providers with all or part of the service agreed in this system. The provider will make agreements with these third parties to the extent necessary to ensure adequate data protection and information security measures. Subcon- tractors who have no access to customer data or who do not process customer data are excluded from this chapter and will accordingly not appear in the list mentioned.

7.4 If the provider places orders with subcontractors, the provider is responsible for transferring his data protection obligations from this system to the subcon- tractor.

8. Duty to provide information

If the data of the client at the provider are endangered by attachment or seizure, by an insolvency or settlement procedure or by other events or measures of third parties, the provider must inform the client immediately. The provider will im- mediately inform all those responsible in this regard that the sovereignty and ownership of the data rests exclusively with the client as the “responsible per- son” within the meaning of the General Data Protection Regulation.

9. Liability

9.1 Liability is based on the contract.

10. Others

10.1 Otherwise the provisions of the contract apply. In the event of any contradic- tions between the rules of this annex and the provisions of the contract, this annex takes precedence. Should individual parts of this system be ineffective, this does not affect the effectiveness of the contract and the system.

Version September 2020

Appendix A and B are an integral part of this appendix.