EasyLife 365 Collaboration Datenverarbeitungsvereinbarung

banner
banner
banner

Last updated on August 31, 2023.

1. Purpose

  1. 1.1 EasyLife 365 AG ("EasyLife") provides customers ("Customers" or "Customer", together with EasyLife: "the Parties") with software for the governance and provisioning of Microsoft 365 tools ("Product"). The Product is provided based on and in accordance with the EasyLife general terms & conditions ("Main Contract"), which the Customer has accepted when ordering the Product.
  2. 1.2 The provision of the Product involves processing personal data by EasyLife on behalf of the Customer. The object and purpose of this DataProcessingAgreement ("DPA" or "Agreement") are to define the rights and obligations of the Parties under data protection law in connection with the use and provision of the Product governed by the Main Contract.
  3. 1.3 This Agreement forms an integral part of the Main Contract and assists the Parties in complying with the regulations on the processing of personal data applicable in Switzerland and the European Union, in particular the Swiss Federal Data Protection Act ("CH-DSG", SR 235.1) and the EU General Data Protection Regulation ((EU) 2016/679, "GDPR").

2. Scope

  1. 2.1 The provisions of this DPA, together with its annexes, which form an integral part of the DPA, shall apply to all activities related to the Main Contract in which EasyLife processes personal data on behalf of the Customer.
  2. 2.2 The categories of personal data to be processed, the type and purposes of the processing, and the categories of data subjects are listed in Annex 1 to this DPA.

3. Definitions

  1. 3.1 Unless otherwise defined in this Agreement, all terms shall have the same meaning as in the applicable data protection laws of Switzerland and the EU. If the terms or their equivalents (e.g., "sensitive personal data" and "special categories of personal data") are understood differently in the provisions applicable in the specific case, the term shall be understood for this DPA to include a broader understanding and thus ultimately cover all meanings. If a contradiction between the provisions applicable in the specific case cannot be resolved by this means, the understanding under GDPR shall prevail.
  2. 3.2 For this Agreement:
    • A: "Subcontractor" means any service provider engaged by EasyLife (or any other Subcontractor of EasyLife) to process personal data in connection with the Main Contract or this Agreement. Subcontractors within the meaning of this Agreement are only those who provide services that are directly related to the provision of the Product by EasyLife. In particular, service providers who merely provide ancillary services, such as the testing or maintenance of data processing procedures or systems by other bodies, telecommunications services, postal and transport services, or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems shall not be considered Subcontractors.
    • B: "in writing" or "written" shall also mean in an electronic form that enables proof by text, including communication by e-mail.

4. Legal responsibility of the Customer

  1. 4.1 Within the scope of this DPA, the Customer remains the controller in terms of data protection law. The Customer warrants that the transfer of personal data and the processing of such data by EasyLife and the Subcontractors as outlined in this Agreement are permissible under the applicable data protection laws and are not prohibited by any other statutory or contractual provision applicable to the Customer. The Customer shall remain solely responsible for compliance with its obligations under the applicable data protection provisions, particularly the fulfilment of data subjects’ requests.
  2. 4.2 The Customer has verified that the technical and organizational measures implemented by EasyLife as described in Annex 2 are sufficient to ensure adequate data protection for the personal data to be processed by EasyLife.
  3. 4.3 The Customer shall inform EasyLife immediately if it discovers any violations or irregularities concerning data protection provisions or its instructions during the term of the Agreement.
  4. 4.4 On request, the Customer shall provide EasyLife with all the information necessary to maintain a record of all processing activities carried out on the Customer's behalf, insofar as it is not available to EasyLife itself in easily accessible and useful form.
  5. 4.5 If EasyLife is required to provide information to a governmental body or person on the processing of personal data within the scope of this DPA or to cooperate with these bodies or persons in any other way, the Customer is obliged at the first request to assist EasyLife in providing such information and in fulfilling other cooperation obligations.

5. Data processing and obligation to follow instructions

  1. 5.1 EasyLife shall process all personal data within the scope of this DPA on behalf of the Customer and by the documented instructions of the Customer and by this Agreement, unless EasyLife is legally required to do otherwise. In the latter case, EasyLife shall inform the Customer of that legal requirement before processing unless that law prohibits such information on important public interest grounds.
  2. 5.2 The Customer’s instructions are, in principle, exhaustively stipulated and documented in the provisions of this DPA. Individual instructions derogating from this DPA's stipulations or imposing additional requirements shall require EasyLife's written consent. In this case, the instructions shall be documented in an appropriate form, and the additional costs incurred by EasyLife, as a result, shall be borne by the Customer, whereby EasyLife reserves the right to implement the individual instruction under any other procedure provided for in the Main Contract.
  3. 5.3 The Customer shall ensure that instructions are as clear and comprehensible as possible, comply with the applicable laws, in particular data protection law, and are compatible with the other requirements in this DPA. If EasyLife is of the opinion that an instruction infringes this Agreement or applicable data protection law, it is after informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction.
  4. 5.4 EasyLife reserves the right to anonymize or aggregate the personal data processed on behalf of the Customer in such a way that it is no longer possible to identify individual data subjects and to use them in this form for designing, developing, and optimizing the Product and other services to meet the needs of customers as well as for the purposes agreed upon in the Main Contract. The Parties agree that anonymized and, according to the above requirement, aggregated personal data are not considered personal data for this Agreement. Clarifying: The use of such Data is only to increase the Security and Quality of the Products of EasyLife; compliant with the regulatory requirements.
  5. 5.5 In principle, EasyLife shall process the personal data on behalf of the Customer inside the European Economic Area (EEA) or Switzerland. EasyLife is nevertheless permitted to process the personal data by the provisions of this Agreement outside the EEA or Switzerland if the Customer is informed in advance about the place of data processing and if the requirements of the applicable data protection provisions about cross-border transfers are fulfilled.

6. Technical and organizational measures

  1. 6.1 EasyLife shall implement appropriate technical and organizational measures within the meaning of the CH-DSG and the GDPR and as set out in Annex 2 to this Agreement. EasyLife is entitled to change the organizational and technical measures. However, it has to be ensured that the contractually agreed level of protection is not reduced.
  2. 6.2 EasyLife shall ensure that all persons engaged in processing personal data on behalf of the Customer are subject to a contractual or statutory duty of confidentiality concerning this data processing.

7. Information, cooperation, and support obligations of EasyLife

  1. 7.1 EasyLife shall support the Customer as far as possible and reasonable in fulfilling the requests and claims of data subjects laid down in Chapter III GDPR, in complying with the provisions on the security of the processing of personal data, and in complying with the requirements for reporting data breaches and for carrying out data protection impact assessments (including prior consultation). The Customer shall reimburse EasyLife for any documented expenses and costs incurred as a result. This shall not apply in the cases where the support became necessary due to (i) a breach of law applicable to the data processing under this DPA and/or (ii) a breach of this DPA, by EasyLife.
  2. 7.2 As far as a data subject submits a request for the exercise of his rights directly to EasyLife, EasyLife will forward this request to the Customer in a timely manner.
  3. 7.3 EasyLife will provide the Customer with all information necessary and available to prove compliance with the obligations outlined in this Agreement, to the extent that the Customer does not already have such information.
  4. 7.4 The Customer shall have the right to audit EasyLife's compliance with this Agreement (including inspections) or to have such audit conducted by a qualified third party subject to a duty of confidentiality. EasyLife shall allow for and, as far as reasonable, contribute to such audits. The Customer shall reimburse EasyLife for any documented expenses and costs incurred as a result, unless the reason for the inspection was caused by (i) a breach of law applicable to the data processing under this DPA and/or (ii) a breach of contract, by EasyLife. The costs incurred on the part of the Customer shall be borne by the Customer.
  5. 7.5 In order to carry out inspections in accordance with Section 7.4, the Customer is, as far as reasonable and necessary to comply with the data protection requirements, entitled to access the business premises of EasyLife in which personal data is processed on behalf of the Customer within the usual business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notification at his own expense, without disruption of the course of business and under strict confidentiality of EasyLife's business and trade secrets. EasyLife is entitled, at its own discretion and taking into account the customer's legal obligations, not to disclose information sensitive about EasyLife's business or if EasyLife would be in breach of statutory or other contractual provisions as a result of its disclosure.
  6. 7.5 At the discretion of EasyLife, proof of compliance with the obligations under this Agreement may be provided, instead of an inspection, by submitting an appropriate, current report from an independent and qualified company or authority (e.g. certified auditor) or a suitable certification, if the opinion, report or certification enables the Customer to appropriately verify the compliance with obligations under this Agreement.
  7. 7.6 Clarifying 7.5 and 7.6: If and as far as Customer has reasonable grounds to believe, that the provided documents or procedures in 7.5 or 7.6 are insufficient or do not enable Customer to comply with his obligations under GDPR, Customer may conduct an inspection according to sec. 7.4. In cases of urgency or outstanding importance such inspections are not bound to business hours or prior notification.

8. Subcontractors

  1. 8.1 The Customer grants EasyLife the general authorization to engage Subcontractors with regard to the processing of personal data on behalf of the Customer. Annex 3 contains a list of the Subcontractors engaged by EasyLife at the time of conclusion of the Agreement.
  2. 8.2 EasyLife shall inform the Customer in writing in advance of any intended subcontracting or replacement of existing Subcontractors. The Customer may only raise an objection for important reasons relating to data protection (e.g. if the subcontractor does not fulfill the requirements of Art. 28 para 1 GDPR), which the Customer must prove to EasyLife. If the Customer does not object within 14 days after receipt of the notification, its right to object concerning this subcontractor shall expire. If the Customer objects in compliance with the aforementioned conditions, EasyLife is entitled to terminate the Main Contract and this Agreement extraordinarily in the sense and according to the conditions of the Main Contract.
  3. 8.3 EasyLife shall conclude a written contract with the Subcontractors engaged. The contract must impose the same obligations on the Subcontractors as are imposed on EasyLife under this Agreement. The Parties agree that this requirement is met if the contract has a level of protection equivalent to this Agreement.
  4. 8.4 Subject to compliance with the requirements of Section 5.5 of this Agreement, the provisions of this Section 8 shall also apply if a Subcontractor outside of Switzerland or the EEA is involved. The Customer hereby authorizes EasyLife to conclude a contract with another Subcontractor on behalf of the Customer based on the modernized standard contractual clauses in accordance with Implementing Decision (EU) 2021/914 of the EU Commission ("modernized standard contractual clauses"). The Customer shall support EasyLife in entering into such a contract and complying with all the requirements for the cross-border transfer of personal data on behalf of the Customer within the scope of this Agreement. EasyLife may, at its sole discretion, require the Customer to enter into such a contract directly with the respective Subcontractor. Any refusal by the Customer to support or enter into the contract shall entitle EasyLife to terminate the Main Contract and this Agreement extraordinarily in the sense and according to the terms of the Main Contract.

9. Duration and termination of the Agreement

  1. 9.1 This Agreement shall apply between the Parties as of the effective date of the Main Contract and is concluded for an indefinite period. The termination of this Agreement shall follow the termination of the Main Contract.
  2. 9.2 Upon termination of this Agreement, EasyLife shall, according to Customer’s instructions
    • A: return all personal data within the scope of this Agreement and all copies thereof, including personal data supplied by and collected on behalf of the Customer, or
    • B: destroy such personal data and copies thereof.
    The return and/or destruction shall be confirmed in writing to the Customer.
  3. 9.3 Section 9.2 does not apply to personal data that EasyLife is legally obligated to store or data required to document proper and correct data processing on behalf of the Customer or to enforce or defend claims arising from this Agreement or the Main Agreement.

10. Indemnification and bearing of costs

  1. 10.1 EasyLife's liability under this Agreement shall be governed by the disclaimers and limitations of liability provided in the Main Contract. As far as third parties assert claims against EasyLife which are caused by the Customer's breach of this Agreement, of an agreement with other service providers (e.g., Microsoft), or one of his obligations under the applicable data protection law, the Customer shall upon the first request indemnify and hold EasyLife harmless from these claims.
  2. 10.2 The Customer undertakes to indemnify EasyLife upon the first request against all possible fines imposed on EasyLife corresponding to the Customer's part of the responsibility for the infringement sanctioned by the fine.

11. Various

  1. 11.1 Each party shall provide courts or supervisory authorities, and the Customer shall provide all data subjects a copy of the contents of this Agreement upon their request or if required by law.
  2. 11.2 In principle, this Agreement can be amended only with the written consent of both Parties. The Customer may clarify Annex 1, provided this does not lead to any significant change in the processing. EasyLife must be notified immediately of any such amendments. Within the scope of technological progress and developments, EasyLife is also permitted to amend details of individual technical and organizational measures, insofar as these are adequate measures and at the same time do not reduce the level of security of the previous steps. EasyLife shall inform the Customer of any such amendments.
  3. 11.3 The Customer shall not assign or transfer this Agreement or any rights or obligations arising from this Agreement to third parties without the prior written consent of EasyLife.
  4. 11.4 The substantive laws of Switzerland shall govern this Agreement. All disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the ordinary courts at the registered office of EasyLife. Mandatory provisions and places of jurisdiction remain reserved.

Annex 1: Description of the processing

1. Categories of personal data to be transferred and/or processed:

  1. - Company Name
  2. - Name
  3. - Business address
  4. - Telephone number
  5. - Email address
  6. - Contractual data (contractual relationship, product, or contractual interests)
  7. - Customer history, contract implementation, payment data
  8. - Audit logs (Authentication against EasyLife services)
  9. - Data related to the implementation of the Product
  10. - Data related to the use of the Product
  11. - Activity logs for troubleshooting purposes
  12. - Data related to the Customer’s Microsoft 365 environment and tools (e.g., TenantId, domains)

2. Type and purpose of the data processing:

All processing operations are required to provide the Product, and the complementary services based on the Main Contract concluded with the Customer (such as collection, processing, analysis, transfer, and storage).

3. Categories of data subjects:

  1. - Employees (internal)
  2. - Contact persons
  3. - Employees of external companies
  4. - Interested parties

Annex 2: Technical and organizational measures

a) Entry Control

Measures to prevent unauthorized persons from accessing data processing systems with which personal data are processed.

The Service is a PaaS service consumed by EasyLife and governed by Microsoft 365. There is no physical access to such environments.

b) Access Control

Measures to prevent the use of data processing systems by unauthorized persons:

  1. - Assignment of user rights
  2. - Password assignment
  3. - Authentication with username/password
  4. - Use of intrusion prevention systems
  5. - Additional measures: web-application firewalls, regular vulnerability scans, regular penetration testing, patch management, minimum requirements for password complexity
  6. - Access Control governed by Conditional Access, Privileged Identity Management (PIM), and Multi-factor Authentication
  7. - Encryption of storage accounts
  8. - Use of mobile device management (for example, remote locking and wiping of smartphones)
  9. - Hardware encryption for notebooks
  10. - Use of a software firewall (office clients)

c) Access Rights Control

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access rights and that personal data cannot be processed, used, or stored without authorization, read, copied, modified, or removed:

  1. - Creation of an authorization concept
  2. - Number of administrators reduced to the "absolute minimum.”
  3. - Logging of the application access, especially for entry, modification, and data deletion
  4. - Hardware encryption
  5. - Rights management by system administrators
  6. - Password policy with guidelines on password length, password change management

d) Transfer Control

Measures to ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or while being transported or stored on data carriers and that it can be verified and ascertained to which bodies the transmission of personal data using data transmission facilities is intended:

  1. - Documentation of data recipients and transmission times, including agreed deletion times
  2. - Hardware encryption
  3. - Data disclosure (only) in anonymized or coded form
  4. - Overview of general requests and delivery operations
  5. - TLS encryption for all communications (web client, APIs, mobile apps)

e) Input control

Measures to ensure that it is possible to verify at a later date whether and by whom personal data can be entered, modified, or removed in data processing systems:

  1. - Logging of entry, modification, and deletion of data
  2. - Traceability of data entry, modification, and deletion by individual users (not user groups)
  3. - Assignment of rights for entry, modification, and deletion of data based on an authorization concept
  4. - Creation of an overview of the approved applications for entering, modifying, or deleting data
  5. - Storage of forms through which data has been collected using automated processing

f) Instruction control

Measures to ensure that data further processed on behalf and in agreement with the data controller are only processed on its instructions:

  1. - Selection of subcontractors taking into account their history (especially about information security)
  2. - Written instructions to subcontractors
  3. - Ensure that subcontractors have appointed a data protection officer
  4. - Effective control rights assured by subcontractors
  5. - Prior review of documentation and security measures taken by subcontractors
  6. - Obligation of subcontractor's employees to maintain confidentiality
  7. - Secure deletion of data at the end of the contract
  8. - Continuous monitoring of subcontractors and their activities

g) Availability Check

Measures to ensure that personal data is protected against accidental destruction or loss:

  1. - Testing of data recovery
  2. - Creation of backup & recovery concepts
  3. - Preparation of an emergency response plan
  4. - Several data centers in the active configuration

h) Principle of Separation

Measures to ensure that personal data collected for different purposes are processed separately:

  1. - Creation of an authorization concept
  2. - Records with purpose attribute/data fields
  3. - Authorised and documented database rights
  4. - Logical client separation (at software level)
  5. - For coded data: Separation of the assignment file and storage on a separate secured IT system
  6. - Separation of productive and test systems

Annex 3: List of approved Subcontractors

NameAddressProcessing purpose
MicrosoftBlackthorn Road - 18 Dublin, IrelandProvision of Azure infrastructure and execution of API calls to the customer’s tenant
Twilio SendGrid 375 Beale St Ste 300 - 94105 San Francisco, USA Sending of e-mail communication to customers
HubSpot 277 Rue Saint-Honoré in Paris, France CRM for contract and contact management
BexioAlte Jonastrasse 24 - 8640 Rapperswil, Switzerland Billing system

Annex 4: Journal of changes

DateArticleSubject of change
2023-08-313.1the understanding under GDPR
2023-08-315.4Clarifying: The use of such Data is only to increase the Security and Quality of the Products of EasyLife; compliant with the regulatory requirements.
2023-08-317.1a) laid down in Chapter III,
b) This shall not apply in the cases where the support became necessary due to (i) a breach of law applicable to the data processing under this DPA and/or (ii) a breach of this DPA, by EasyLife.
2023-08-317.4, unless the reason for the inspection was caused by (i) a breach of law applicable to the data processing under this DPA and/or (ii) a breach of contract, by EasyLife.
2023-08-317.5->7.6Change in section number
2023-08-317.7Clarifying 7.5 and 7.6: If and as far as Customer has reasonable grounds to believe, that the provided documents or procedures in 7.5 or 7.6 are insufficient or do not enable Customer to comply with his obligations under GDPR, Customer may conduct an inspection according to sec. 7.4. In cases of urgency or outstanding importance such inspections are not bound to business hours or prior notification
2023-08-318.2(e.g. if the subcontractor does not fulfill the requirements of Art. 28 para 1 GDPR),
2023-08-319.2a) according to Customer’s instructions
b) or c) and
d) The return and/or destruction shall be confirmed