The following is a machine-translated version of the German original. The German original is legally binding.

1. Definitions of terms

Applicable data protection laws refer to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR), the Swiss Federal Act on Data Protection (FADP), the Swiss Ordinance to the Federal Act on Data Protection (FADP) and, where applicable, other applicable data protection legislation.

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as the data subject); A natural person is considered identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

APPAGIC Tools: APPAGIC Tools refers to various tools made available by Hofmänner New Media GmbH to customers as standard software. The current list can be accessed at www.appagic.com.

2. Scope and Subject Matter

2.1 Scope

This agreement applies to any form of processing of personal data carried out by the Processor on behalf of the Controller, in particular to all tools managed via www.appagic.com.

2.2 Subject Matter, Duration, Nature and Purpose

The subject matter, duration, nature and purpose of the processing are defined in the main agreement.

2.3 Nature of Personal Data / Categories of Data Subjects

As a general rule, the processing specification in the main agreement shall apply. Where this does not explicitly mention details, the following provisions shall apply.

2.3.1 Subject Matter, Nature and Purpose of Processing

The Processor provides the Controller with platforms that facilitate the organisation and execution of events as well as general organisational or administrative tasks of an organisation through digitalisation.

2.3.2 Duration of Processing

Personally identifiable data will be retained in the system until it is deleted by the Controller or the use of the tools is discontinued.

2.3.3 Categories of Data Subjects / Nature of Personal Data

The following categories of data shall be processed for the performance of the tasks:

• Contact person of the Controller: Contact details (name, telephone number, email address) of the responsible contact person at the Controller. Depending on the payment method, credit card numbers may also be processed.
• System users (administrators): The following data of system users are processed: name, telephone number, email address and photo.
• Data subjects (individuals associated with the purpose of the platforms and with the Controller): Contact information (first name, surname, email addresses, telephone number, date of birth, gender, address and other information freely defined by the Controller) of individuals recorded in the system in connection with the purpose of the platforms.

3. Obligations of the Processor

3.1 Processing in Accordance with Instructions

The Processor undertakes to process the data solely for the purposes of the main agreement, including this agreement, and in accordance with the documented instructions of the Controller. This applies in particular to the transfer of data to a third country or to an international organisation. If the Processor is obliged by the law of the European Union, a Member State, or a non-EU country to which it is subject to carry out further processing, it shall inform the Controller of these legal requirements before processing. The Processor is responsible for ensuring its own compliance with the applicable data protection laws with regard to the data it processes.

The Controller may issue, amend or supplement instructions at any time. This includes instructions relating to the rectification, erasure, or restriction of personal data. All instructions must be documented in writing by both the Controller and the Processor.

If the Processor believes that an instruction from the Controller violates data protection regulations, it shall immediately inform the Controller. The Processor is entitled to suspend the execution of the instruction until it has been confirmed or amended by the Controller. The Processor may refuse to execute an instruction that is clearly unlawful.

The obligations directly arising from applicable data protection laws, such as the maintenance of a record of processing activities, remain unaffected by this agreement.

3.2 Duty of Confidentiality

The Processor undertakes and guarantees that all persons entrusted with data processing, including subcontractors, are bound in writing to confidentiality before commencing their duties, or are subject to an appropriate legal confidentiality obligation, and that this obligation remains in effect even after their engagement with the Processor has ended. The Processor shall be liable for any breaches of confidentiality by such persons, including subcontractors, as if it were its own conduct.

3.3 Security Measures of the Processor

The Processor undertakes and guarantees that it has implemented and will maintain all necessary measures to ensure the security of the processing and to prevent unauthorised processing, loss, or damage of personal data. This includes, in particular, the minimum safeguards described in the Technical and Organisational Measures.

3.4 Support Obligations

The contractor is obliged to support the client at any time and to the extent possible in complying with the applicable data protection laws upon request.

3.4.1 Requests and Rights of Data Subjects

The Processor undertakes to assist the Controller, through appropriate technical and organisational measures, in fulfilling its obligation to respond to requests to exercise the rights of data subjects as outlined in applicable data protection laws (in particular, rights to information, access, rectification and erasure, data portability, objection, and automated individual decision-making), within statutory timeframes, and to provide the Controller with all necessary and available information.

If such a request is addressed to the Processor, it must immediately forward it to the Controller. The Processor shall not respond to such requests unless legally required to do so. In any case, the parties agree to coordinate the response to such requests.

3.4.2 Further Information and Support Obligations

The Processor agrees to support the Controller, considering the information available to it, in fulfilling its obligations under applicable data protection laws (data security measures, notifications of personal data breaches to the supervisory authority, notification of affected individuals, data protection impact assessments, and prior consultations).

The Processor undertakes to notify the Controller without delay in the event of:
(i) any actual or suspected data protection breach (including breaches of the main agreement and this agreement or any other relevant data protection violations);
(ii) any impairments or deficiencies on the part of the Processor that could prevent compliance with the provisions of the main agreement or this agreement;
(iii) receipt of access requests or actual access to personal data by authorities, unless such notification is prohibited by law for compelling public interest reasons.

3.5 Return or Deletion Obligation upon Termination

Upon termination of the main agreement, including this agreement, or upon request by the Controller, the Processor is obliged to either return all personal data to the Controller or delete it—at the Controller's discretion—without retaining any copies, subject to statutory retention obligations within the EU/EEA or Switzerland, and to confirm such deletion to the Controller.

3.6 Audit Rights of the Controller

The Processor undertakes to provide the Controller with all information necessary to demonstrate compliance with this agreement and to allow for and actively support audits, including inspections, carried out by the Controller, an auditor mandated by the Controller, or the supervisory authority. Audits shall be conducted in a manner that avoids unnecessary disruption to the Processor’s business operations.

4. Obligations of the Controller

The Controller undertakes to import into the Processor’s systems only those personal data for which it is explicitly authorised to process and use. The Controller shall ensure that all system users are properly instructed and trained.

If the Controller instructs the Processor to import personal data, it must first ensure that such data may legally be imported into the Processor’s systems.

5. Location of Data Processing

Data processing is carried out at the premises of the Processor and its subcontractors.

The Processor undertakes not to transfer any personal data, even in part, to a third country without the prior written consent of the Controller.

If processing activities take place, even partially, outside Switzerland or the EU, an adequate level of data protection must first be ensured through appropriate safeguards.

The safeguards applied for data transfers are referenced in the list of subprocessors.

6. Use of Subprocessors

The Processor is entitled to engage subprocessors, provided that the Controller is informed in advance.

For APPAGIC Tools, the Processor is authorised to engage the companies listed on the website (https://qual.appagic.com/en-uk/subcontractor) as subprocessors. For non-APPAGIC-related projects, the Processor and Controller shall jointly establish a corresponding list.

Planned changes to subprocessors must be communicated to the Controller in good time, so the Controller may terminate the agreement if necessary. The Processor shall enter into the required written confidentiality and data protection agreements with the subprocessors, which must be at least as stringent as the provisions of the main agreement, including this agreement. The Processor shall in particular ensure that the subprocessor undertakes the same obligations and implements the same technical and organisational measures as required of the Processor under this agreement.

The Processor shall be liable to the Controller for the compliance of the subprocessor with its obligations as if they were its own.

The Processor is not liable for tools that are independently integrated by the Controller or at the Controller’s explicit request. In such cases, the Controller remains responsible for compliance with all data protection regulations.

7. Execution of Additional Agreements

The Processor agrees to enter into further agreements with the Controller on the processing of personal data, upon the Controller’s request and within the scope of existing contracts, if the Controller reasonably deems this necessary to comply with applicable data protection laws.

8. Extraordinary Right of Termination

The Controller may terminate the agreement at any time without notice if there is a serious breach by the Processor of data protection regulations or of the provisions of this agreement; if the Processor is unable or unwilling to follow an instruction from the Controller; if the Controller disagrees with a new subprocessor; or if the Processor unlawfully refuses to grant audit rights to the Controller. In particular, failure to comply with the obligations set out in this agreement shall be deemed a serious breach.

9. Relationship to Existing Agreements

• In the event of a conflict between a provision of this agreement and the main agreement, the provision of this agreement shall prevail.
• The provisions of this agreement shall remain in force even after the termination of the main agreement, as long as the Processor retains personal data of the Controller.

10. Final Provisions

Amendments and additions to this agreement may be made unilaterally by the Controller. Amendments must be made in writing and communicated to the Processor 30 days before they take effect. If the Processor disagrees with any amendment, it may terminate the main agreement extraordinarily and with immediate effect within 30 days of the amendment taking effect.

Should any provision of this agreement be or become wholly or partially invalid, the validity of the remaining provisions shall remain unaffected. The parties agree to replace the invalid provision with a valid one that most closely reflects the economic intent and purpose of the invalid provision.

This agreement is governed by Swiss law, excluding the Swiss Federal Act on Private International Law (IPRG). The exclusive place of jurisdiction for disputes arising from or in connection with the interpretation and application of this agreement shall be the courts of the City of Winterthur, Switzerland.

Version vom 01.01.2024