This policy applies to the Processing of Personal Data of Data Subjects by Metrika on behalf of Clients of Metrika whereby Metrika will be acting as Processor and the Client will be acting as Controller (the Policy).
All capitalized terms will have the meanings ascribed to such terms in this Policy or as otherwise defined in the service agreement between Metrika and the Client.
1. The Client authorizes and instructs Metrika or any Metrika Affiliate to:
(a) Process the Personal Data for all legitimate and relevant purposes in connection with the Services of Metrika,
(b) Process the Personal Data insofar necessary to comply with a legal obligation of the Client or Metrika, including the disclosure of Personal Data to competent local authorities;
(c) Transfer the Personal Data as necessary or relevant to any Sub-Processor, together hereinafter referred to as the Authorized Purposes.
Metrika will not further Process the Personal Data in a way that is incompatible with the Authorized Purposes.
At Client’s request, Metrika shall provide the Client with information as to the names and addresses of the Sub-Processors as well as the nature of the Processing activities performed by such Sub-Processors.
2. Metrika shall keep the Personal Data confidential and will instruct its staff and Sub-Processors to the same. Metrika shall implement appropriate and commercially reasonable technical, physical and organizational measures and precautions to protect the Personal Data from accidental loss, misuse, unauthorized access and disclosure, alteration, or unlawful destruction, in particular where the Processing involves the transmission of Personal Data over a network, and against all other unlawful forms of Processing. Such measures shall comply with Applicable Law. The security measures are further described and specified in the document – Statement of Continuity -.
3. Metrika shall without undue delay, but within the period specified by Applicable Law, inform the Client of any loss or breach of security of the Personal Data. Metrika shall at least provide the following details:
(a) the nature of the loss or breach and
(b) an estimation of the number of Data Subject’s involved, and, where possible, their names.
4. The Client and each Client Affiliate involved warrant that:
(a) the Client is entitled to provide the Personal Data to Metrika or to the relevant Metrika Affiliate and that the Client is authorized to engage Metrika and or the Metrika Affiliate(s) as Processor(s);
(b) the Client complies and will continue to comply with all Applicable Law as well as with any other applicable obligations regarding the Processing and protection of Personal Data, including but not limited to any contractual obligations or agreements or protocols agreed with employee representatives;
(c) the Client has informed Metrika and will inform Metrika of all obligations and restrictions referred to in sub-section 4 (b), which are applicable to the Personal Data and relevant to the Services, including, but not limited to, having provided Metrika with the applicable privacy notice(s);
(d) the processing of the Personal Data is lawful and does not infringe any third party rights;
(e) no later than the Effective Date, the Client has duly informed or will duly inform the Data Subjects that their Personal Data will be Processed by Metrika or – as the case may be – Metrika’s Sub-Processors for the Authorized Purposes and that the Client has obtained all consents of the Data Subjects required under Applicable Law, which includes the Processing of the Personal Data by Metrika or its Sub-Processors;
(f) no later than the Effective Date, the Client has duly informed or will duly inform the Data Subjects that the Services may require the transfer of the Personal Data, specifically any Sensitive Data where relevant, to a Metrika Affiliate or Sub-Processor in a third country providing a level of protection different than the protection afforded to such Personal Data by the laws in the jurisdiction in which the Client is established or in which Client’s employees reside, and that the Client has obtained all consents of the Data Subject to such transfer required under Applicable Law;
(g) the Personal Data provided to Metrika are accurate.
5. Upon termination of the Agreement in whole or in part and at Client’s choice, Metrika shall:
(a) destroy all Personal Data Processed and any copies thereof and certify to the Client at Client’s written request that it has done so; or
(b) in accordance with Client’s instructions return all Personal Data Processed and the copies thereof to the Client or Client Affiliate, unless any Applicable Law, competent court, supervisory or regulatory body prevents Metrika from returning or destroying all or part of the Personal Data transferred. The obligation to destroy or return Personal Data does not apply to any notes, analyses, memoranda, minutes or other internal corporate documents, prepared by or on behalf of Metrika which are based on, derived from, contain or otherwise make reference to Personal Data. Furthermore, Metrika is entitled to retain copies of any computer records and files containing Personal Data which have been created pursuant to automatic electronic archiving and back-up procedures and which is not immediately retrievable as part of day-to-day business. Metrika hereby warrants the confidentiality of the Personal Data and that such Personal Data will not be Processed for the Authorized Purposes or any other purposes other than their storage or their protection or as required by Applicable Law.
(a) At Client’s written request, the Metrika Affiliate Processing the Personal Data of the Client shall allow, an audit (whether on-site or remotely) to verify Metrika’s compliance with its obligations under Applicable Law and this Agreement, to be carried out either (i) by an independent third party audit firm bound by a duty of confidentiality and selected by the Client and approved by the Metrika Affiliate (which approval shall not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (ii) by a competent data protection authority. The audit will be carried out in close cooperation with Metrika’s Chief Information Security Officer. Parties shall agree the scope of the audit in advance. The Client shall notify Metrika and the Metrika Affiliate in writing with a minimum of fifteen (15) calendar days prior to any audit being carried out. The Client shall bear the costs of the audit. Metrika is entitled to a reasonable compensation for the costs of the audit incurred by Metrika, to be paid by the Client.
(b) Metrika shall assist the Client, to the extent reasonably possible, (i) to comply with Applicable Law in a reasonable time and (b) to respond to any Data Subject access, correction, erasure or blocking requests and objections.
7. The Client will indemnify and hold Metrika, Metrika Affiliates and Sub-Processors harmless from and against any Claims from any Data Subjects and/or third parties relating to or arising from the Processing of Personal Data by Metrika and/or which result from the breach of any of the warranties of the Client in this Policy.
Metrika, Metrika Affiliates will indemnify and hold the Client harmless from and against any Claims from any Data Subjects and/or third parties relating to or arising from or resulting from the breach of any of obligations of Metrika in this Policy.
8. Any agreement between Metrika and a Sub-Processor shall at least contain similar obligations as section 1, section 2, section 3, section 5 and section 6 in this Policy.
9. In the event of cross-border transfers of Personal Data between the Metrika Affiliate and any Sub- Processor, the following shall apply (insofar relevant):
(a) Where any data protection law of one or more of the Member States of the European Economic Area or Switzerland applies to the Personal Data (e.g., where the Client or its relevant Affiliates are established in such Member State and the Personal Data are Processed by Metrika in the context of such establishment), the Personal Data may, at the discretion of Metrika, be transferred to (i) one or more Metrika Affiliates in either one or more Member States of the European Economic Area or Switzerland on the basis of Applicable Law, or to (ii) one or more Metrika Affiliates in one or more third countries on the basis of the Binding Corporate Rules For Processing Customer Personal Data (Processor) of Metrika, which are published on the website of Metrika (www.Metrika.ch/gdpr-statement/). In such case, the information referred to in sub-section 4 (f) in this Policy shall include a reference to the Binding Corporate Rules For Processing Customer Personal Data (Processor) of Metrika, Data Subject’s rights thereunder and Metrika’s complaint procedure. The Client or the relevant Metrika Affiliate, as applicable, shall upon request of the Data Subject, provide the Data Subject(s) with a copy of such Binding Corporate Rules and this Agreement (without any business sensitive or Confidential Information). Where permitted by Applicable Law, Metrika shall, no later than the Go-Live Date, obtain all relevant authorizations or permits for such transfer of Personal Data based on such Binding Corporate Rules. Where Applicable Law does not allow Metrika to obtain such authorization or permit for itself, the Client shall in a timely manner issue a Power-of-Attorney to the relevant Metrika Affiliate to obtain such authorization or permit on behalf of the Client. Where the use of a Power-of-Attorney is not accepted under Applicable Law, the Client warrants that it has obtained, no later than the Go-Live Date, all necessary authorizations or permits to allow Metrika to share the Personal Data with Affiliates of Metrika in a third country.
(b) Where any data protection law of one or more of the Member States of the European Economic Area or Switzerland applies to the Personal Data (e.g., where the Client or its relevant Affiliates are established in such Member State and the Personal Data are Processed by Metrika in the context of such establishment), the Personal Data may, at the discretion of Metrika, be transferred to one or more Sub-Processors (other than Metrika Affiliates) in one or more Member States of the European Economic Area or Switzerland on the basis of Applicable Law, or to one or more such Sub-Processors in one or more third countries on the basis of an exception under Applicable Law or on the basis of adequate safeguards adduced either, insofar as allowed under Applicable Law, by Metrika to ensure the protection of the Personal Data, or by the Client, in which case Metrika shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Sub-Processor. At Client’s request, Metrika shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
(c) Where the data protection or privacy law of any country outside the European Economic Area or Switzerland applies to the Personal Data, the Clients warrants that any cross-border transfer of Personal Data from Metrika to a Sub-Processor shall be allowed on one of the following grounds, justifications or safeguards allowed under Applicable Law:
(i) the cross-border transfer of the Personal Data is allowed under Applicable Law, without any additional safeguards to be taken by the Client;
(ii) the consent of the Data Subjects obtained by the Client;
(iii) a contract between the Client and the receiving Sub-Processor of the Personal Data;
(iv) the transfer is necessary for the performance of a contract between the Client or any Client’s Affiliate and the Data Subject; or
(v) any other safeguard or instrument.
The applicable ground, justification or safeguard shall be specified in a relevant statement of work or addendum to the service agreement between Metrika and the Client.
Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by national laws or regulations or laws or regulations of the European Union, the Controller or the specific criteria for his/her nomination may be designated by such laws or regulations.
Data Subjects means the directors, officers and employees of the Client and/or the relevant Client Affiliate and, to the extent applicable, its customers.
Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity any information relating to Data Subjects.
Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor means the party, which Processes Personal Data on behalf of a Controller.
Sensitive Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of data concerning health, sex life, or any other Personal Data the processing of which is specifically restricted or specifically prohibited unless authorized by Applicable Law.
Sub-Processor means any Metrika Affiliate assisting Metrika in the provision of the Services as well as any contractor engaged by Metrika to assist Metrika in the provision of the Services in countries where Metrika does not have a presence or to provide information technology, administrative support or consultancy services to Metrika.
Metrika reserves the right to update this policy without consulting or pre-informing its clients