- Definitions
- Scope and Roles
- Data Protection
- Customer Responsibilities
- Subprocessing
- Restricted Data Transfers
- Assistance and Notifications
- Audit
- Deidentified Data
- General
- Limitation of Liability
ANNEX I
- LIST OF PARTIES
- DESCRIPTION OF TRANSFER
Subject Matter | Artie’s provision of the services to Customer |
---|---|
Duration of the Processing | Personal Data will be retained only transiently or for a short duration to transmit the Personal Data from Customer’s chosen source to Customer’s chosen destination. Artie will process Customer Personal Data for the purposes of providing the services to Customer under the agreement. |
Frequency of the Processing | As and when the services are used. Duration of account/agreement life-cycle. |
Categories of Data | Any Personal Data selected by Customer in connection with Customer’s use of the services. The types of Personal Data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data. |
Special Categories of Data Processed | The services are not intended to Process special categories of data. |
Data Subjects | Any data subjects of the Personal Data selected by Customer. |
ANNEX II
Artie shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission. Physical access control Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data Processing equipment and personal computers. Virtual access control Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one master record per user, user-master data procedures per data Processing environment; and (f) encryption of archived data media. Data access control Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption. Disclosure control Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security. Entry control Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation. Control of instructions Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor. Availability control Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan. Separation control Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) “internal Customer” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.ANNEX III
This Annex III applies as set out in Clause 6.6 of this DPA.- Interpretation
- Hierarchy
- Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws
- Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws