Personal Data Protection Agreement

Between

PropriX AG, with registered office at Dorfstrasse 58 – 6332 Hagendorn (CH), registered with the Commercial Register under CH-170.3.050.072-0, UID/VAT CHE-415.373.009, e-mail: hello@proprix.ch (hereinafter also "PropriX" or the "Processor") and The Customer, a legal entity that requests and benefits from PropriX's services through the use of the Platform (hereinafter, the "Customer" or the "Controller").

1. Recitals

  • This Personal Data Protection Agreement (this "Agreement") forms an integral part of the Services Agreement between PropriX and the Customer.
  • For the performance of the Services Agreement, PropriX is required, on behalf of the Customer, to carry out processing activities relating to personal data for which the Customer is the controller.
  • By this Agreement, the Customer intends to appoint PropriX as its processor for the processing of personal data pursuant to Art. 9 of the revised Swiss Federal Act on Data Protection (nFADP) and Article 28 of the GDPR (Regulation (EU) 2016/679).
  • Unless otherwise specified in this Agreement, capitalised terms used in this Agreement shall have the meanings given to them in the General Terms and Conditions and in the Data Protection Notice.
  • Where the provisions of this Agreement use terms defined in the applicable data protection law, such terms shall have the meaning set out in that law. The relevant clauses shall be construed in the light of the applicable data protection law.
  • These recitals form an integral and substantive part of this Agreement.

2. Processing of personal data

2.1. The Processor, in respect of all personal data it processes on behalf of the Controller, warrants that it:

  1. will process such personal data solely for the purposes of performing the Services Agreement and, accordingly, solely on the Customer's instructions
  2. will not transfer personal data to third parties except in compliance with the lawful basis satisfied by the Customer and as governed by this Agreement
  3. will not process personal data for purposes other than those for which the Services Agreement is entered into.

2.2. In order to address any requests and the exercise of rights granted to data subjects under the applicable data protection law, the Processor undertakes to adopt:

  1. appropriate procedures to ensure compliance with data subjects' rights in respect of their personal data
  2. at the Customer's request, procedures to ensure the updating, amendment, rectification and erasure of data subjects' personal data, as well as procedures to ensure the restriction of the processing of data subjects' personal data.

2.3. The Processor warrants that it will cooperate with the Customer by providing such assistance and information as the Customer may reasonably request to enable it to comply with its obligations under the applicable data protection law.

2.4. In accordance with Art. 12(3) nFADP and Article 30(2) GDPR, the Processor shall compile, keep up to date and—at the Customer's request—make available a record of processing activities containing all information required by the applicable data protection law.

2.5. The Processor warrants that it will cooperate with the Customer to enable it to carry out any data protection impact assessments pursuant to Art. 22 nFADP and Article 35 GDPR where applicable, i.e. where the Customer, in its sole discretion, considers that certain processing operations may result in a high risk to the rights and freedoms of natural persons.

3. Security measures

3.1. The Processor shall ensure that personal data processed on behalf of the Customer is stored with logical separation from personal data processed for its own purposes and/or on behalf of other third parties.

3.2. The Processor shall implement and maintain appropriate technical and organisational security measures to protect personal data against unlawful or accidental destruction or loss, damage, alteration, unauthorised disclosure or access.

4. Risk assessment and privacy by design and by default

4.1. The Processor warrants that it will cooperate with the Customer to give effect to mitigation actions aimed at addressing any risks identified by the Customer following its risk assessments.

4.2. Taking into account the state of the art, costs, and the nature, scope and purposes of the processing, the Processor shall enable the Customer to adopt any technical and organisational measures reasonably appropriate to ensure and implement the principles set out in the applicable data protection law and to safeguard data subjects' rights.

4.3. In line with the principles of privacy by design and by default, only the personal data strictly necessary for each specific purpose of the processing shall be processed by default.

5. Authorised persons

5.1. The Processor warrants that its employees and contractors authorised to process personal data on behalf of the Controller are competent and reliable and have received appropriate training on security and personal data protection.

5.2. In relation to the processing of personal data, the Processor shall impose on authorised persons confidentiality obligations no less onerous than those set out in the Services Agreement. In any event, the Processor shall be directly liable to the Customer for any personal data breach committed by authorised persons.

6. Sub-processors

6.1. In the context of the performance of the Services Agreement, the Controller hereby authorises the Processor to appoint sub-processors (the "Sub-processors"), provided that the Processor informs the Controller and imposes on such Sub-processors personal data processing terms no less onerous than those set out in this Agreement. The relevant provisions of the applicable data protection law shall apply to the activities of the Sub-processors.

7. Transfer of personal data abroad

7.1. Personal data is processed in Switzerland and may be disclosed to third parties operating within the European Economic Area. Certain Sub-processors, being IT service providers, may carry out processing activities on behalf of the Processor in the United States of America. Such providers operate in compliance with the Adequacy Decision for the EU‑US Data Privacy Framework of 10 July 2023.

7.2. Pursuant to Article 27 GDPR, the Controller has appointed a representative within the territory of the European Union, who may be contacted by post or email at the following addresses:

  • Talha Aktas Warmbronnerstraße 13/2 D-71106 Magstadt, Germany
  • aktas@proprix.ch

8. Erasure of personal data

8.1. The Processor shall return or erase the personal data processed for the performance of the Services Agreement within 30 (thirty) days of termination of the Services Agreement for any reason and, in any event, whenever requested by the Customer, including where erasure is required following a specific request by a data subject.

9. Controller audit

9.1. The Processor shall make itself available for any privacy and personal data protection audits the Controller may wish to carry out, provided that such audits shall not concern third-party data or information subject to confidentiality obligations.

10. Investigations by the competent authority and complaint handling

10.1. To the extent permitted by applicable law, the Processor shall promptly inform the Controller of any request or communication from the competent personal data protection authority, from public authorities or law enforcement agencies, as well as of any request from data subjects.

10.2. The Processor shall cooperate with the Controller to ensure that the Controller can respond to such requests and communications in the manner and within the time limits provided for by the applicable data protection law.

10.3. In the event of receipt of a complaint relating to the processing activities governed by this Agreement, the Processor shall:

  • promptly notify the Controller
  • coordinate with the Controller in order to provide any responses to the complaint
  • not settle any disputes without the prior involvement and consent of the Controller.

11. Personal data breach

11.1. The Processor undertakes to notify the Controller as soon as possible and, in any event, within the time limits provided for by the applicable data protection law, of any security breach that has led, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, including breaches affecting its Sub-processors. The notification shall include any information that must be provided to the Controller under the applicable data protection law.

11.2. The Processor undertakes to provide the Controller with the necessary support to enable it to carry out appropriate investigations and assessments concerning the breach, including to identify, prevent and limit its adverse effects. Subject to agreement with the Controller, the Processor shall cooperate with the Controller to take any action reasonably necessary to remedy the breach. The Processor undertakes not to disclose or otherwise release information regarding any personal data breach unless the Customer has given its express consent.

12. Description of the processing

12.1. Under this Agreement, the Processor processes personal data on behalf of the Controller as set out below.

  • Categories of data subjects whose data is processed by the Processor Users of the landing pages.

  • Categories of personal data processed by the Processor (ordinary data)

    • Browsing data
    • Personal and identification data (where contact forms are completed)
    • Contact details, such as email address and telephone number, where provided in the contact form
    • Statistical data relating to the use of the landing pages
    • Any further personal data entered by the user in the contact forms.

  • Means of processing Processing by electronic means.

  • Purposes for which the data is processed by the Processor Personal data is processed in order to perform the Services Agreement with the Customer and, in particular:

    • to assist the Customer with statistical analyses relating to visits to and use of the landing pages
    • to manage users' contact requests and maintain an archive of correspondence.

  • Duration of the processing Until termination of the Services Agreement for any reason. The data will be erased and/or returned to the Controller within the time limits set out in Article 8 above ("Erasure of personal data").

13. Fees

13.1. The Processor's fees for performing this Agreement are included in the fees paid by the Customer under the Services Agreement.

14. Amendments

14.1. Any amendments or additions to this Agreement must be approved in writing by the Parties. To the extent not expressly provided for herein, this Agreement shall be governed by the applicable data protection law.

Date of last update: 01/10/2025