Order processing agreement (AVV)

Cloud Connection GmbH (“Cloud Connection”) provides the customer with hosting, IT and marketing services in relation to one or more of the customer’s websites or applications. When providing the services, Cloud Connection stores personal data on behalf of and for the purposes of the customer (“order processing”).

1. Subject and scope of the AVV

1.1. This contract for data processing (“AVV”) regulates the obligations, roles and responsibilities of Cloud Connection and the customer (“contractual parties”) with regard to order processing.

2. Validity, duration

2.1. Cloud Connection makes this AVV available to its customers. As soon as the customer receives a service from the Cloud Connection For the contracting parties, the AVV becomes a binding part of their contractual agreements regarding the provision of services. This AVV applies for the entire duration of the collaboration and, if necessary, until the personal data affected by the order processing are deleted (see Section 4.2). Cloud Connection.

2.2. The provisions of this AVV supplement the provisions of the General Terms and Conditions. They do not restrict the rights and obligations of the contracting parties with regard to the provision or use of the services. However, as far as the subject matter is concerned, the provisions of this AVV (unless expressly agreed otherwise) take precedence over the provisions of the General Terms and Conditions.

3. Scope of the AVV

3.1. This AVV applies (as soon as the customer has agreed to it) with regard to order processing within the scope of Cloud Connection services provided.

3.2. This GPA expressly does not apply to the processing of personal data in which: Cloud Connection determines the purposes and means of processing and is therefore responsible under the Swiss Federal Data Protection Act (nDSG) or any applicable other data protection laws (in particular the EU GDPR).

Such processing of personal data Cloud Connection as the person responsible (e.g. processing personal data as part of billing for services or communication with the customer). Cloud Connection in accordance with the privacy policy of Cloud Connection and applicable data protection laws.

4. Information on order processing

4.1. The object and purpose of order processing is the provision of services Cloud Connection for the customer. Order processing consists of storing, providing, transmitting and deleting personal data in accordance with the provisions of the service contract.

4.2. The order processing affects personal data that the customer chooses on the basis of Cloud Connection infrastructure used to provide the service as well as data of persons to whom the customer grants access to its website or application. This particularly concerns personal data that is usually collected when accessing, running and using websites and applications. This includes log data that is automatically collected during the informational use of a website or an application (e.g. the IP address and the operating system of the user's device as well as the date and access time of the browser), data entered by or for the user and by Usage data collected from customers with personal reference (hereinafter “personal data”).

5. Roles and responsibilities

5.1. The customer confirms and Cloud Connection acknowledges that the customer is and remains responsible for the processing of personal data in accordance with applicable data protection laws. The customer therefore takes on the role of the person responsible. This applies to cases in which the customer himself is the processor of the personal data (see Section 5.4).

5.2. Cloud Connection acknowledges that the customer, in the role of responsible person, is obliged to Cloud Connection When using services, to contractually override some of its obligations under the Swiss Data Protection Act (DSG) and the EU GDPR (or other applicable data protection laws).

5.3. Cloud Connection assumes the role of processor with regard to the processing of affected personal data. Provided Cloud Connection is not also subject to the Swiss Data Protection Act (DSG) and the EU GDPR (or any other applicable data protection laws) for this order processing Cloud Connection this role only on the basis of the contractual obligations of Cloud Connection in accordance with this AVV and is not obliged solely for this reason under the Swiss Data Protection Act DSG and the EU GDPR (or any other applicable data protection laws).

5.4. If the customer is a processor (i.e. if the customer is entitled to make the applications available to his customers according to the service contract), he confirms that his customer (i.e. the controller) has authorized him to subcontract processing and issue any instructions in accordance with a separate contract Cloud Connection has authorized.

6. Obligations of Cloud Connection

6.1. Cloud Connection undertakes to process the personal data only to provide the services in accordance with the service description and contractual obligations as well as in accordance with this AVV.

6.2. Cloud Connection is entitled to process the customer's personal data in such a way as to fulfill the performance obligations arising from the service contract and this AVV. Upon appropriate request Cloud Connection willing to implement further instructions from the customer relating to order processing. The prerequisite for this is that these are for Cloud Connection can be implemented within the scope of the contractually agreed services and is objectively reasonable and does not lead to additional costs or a change in the scope of services. In any case, the fulfillment of legal or regulatory obligations remains reserved Cloud Connection subject to.

6.3. Cloud Connection ensures compliance with the provisions of this AVV by the employees and others entrusted with order processing Cloud Connection people and companies who have access to personal data. Cloud Connection also undertakes to ensure that persons with access to personal data are kept confidential (including for the duration of their work for Cloud Connection beyond).

6.4. Cloud Connection undertakes to take appropriate technical and organizational measures in the interest of the confidentiality, integrity and contractual availability of personal data. Cloud Connection implements in particular access controls, access controls and procedures for regular checking, assessment and evaluation of the effectiveness of technical and organizational measures. Taken into account when selecting the measures Cloud Connection the state of the technology, the implementation costs as well as the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for data subjects. The applicable measures result from the current service descriptions Cloud Connection.

6.5. Cloud Connection undertakes to inform the customer in writing without delay if Cloud Connection Became aware of a data security breach involving personal information. Thereby has Cloud Connection inform the customer of the nature and extent of the violation as well as possible remedial measures. The contracting parties shall jointly take the necessary measures to ensure the protection of personal data and to mitigate possible adverse consequences for the data subjects. Furthermore, commits himself Cloud Connectionto provide the customer, upon written request, with sufficient information to enable them to fulfill their obligations under the Swiss Data Protection Act (DSG) and the EU GDPR (or any other applicable data protection laws) regarding the reporting, investigation and documentation of data security breaches.

6.6. Cloud Connection undertakes to provide assistance to the customer upon written request and against separate appropriate remuneration, as well as within the scope of the company's operational resources and possibilities Cloud Connection to support the customer in fulfilling the rights of those affected (in particular the rights to information, correction and deletion) (concerning personal data) in accordance with the Swiss Data Protection Act (DSG) and the EU GDPR (or any other applicable data protection laws). If a data subject addresses demands regarding the fulfillment of data subject rights directly Cloud Connection, becomes Cloud Connection refer the person concerned to the customer. The prerequisite for this is that Cloud Connection can make such an assignment to the customer based on the information provided by the person concerned.

6.7. Cloud Connection is obliged to notify the customer in writing without delay if Cloud Connection receives a request (e.g. a request for information or deletion) from a data subject regarding personal data; provided that an assignment to the customer is possible based on the information provided by the person concerned.

6.8. Cloud Connection is upon written request and against separate appropriate remuneration and taking into account the operational resources and possibilities of Cloud Connection ready to support the customer with data protection impact assessments and consultations with supervisory authorities.

6.9. Cloud Connection will release or delete the personal data after the end of the term of the service contract in accordance with the provisions of the service contract.

7. Involvement of sub-processors

7.1. If the customer uses services from Cloud Connection, which concern personal data and are provided by third parties, remains Cloud Connection processor towards the customer and fulfills the relevant obligations under the AVV. The provider of the third-party service included in the service of Cloud Connection is integrated, is a sub-processor of Cloud Connection. A distinction must be made between cases in which: Cloud Connection provides the customer with a direct contract conclusion with the third-party service provider and the third-party service provider becomes the customer's direct processor. In such cases, the customer is responsible for making any necessary agreements with the third-party service provider under applicable data protection laws.

7.2. Cloud Connection is entitled to sub-processors in the context of providing the services of Cloud Connection (e.g. as part of the website creation service). Cloud Connection In such cases, we are obliged to conclude a contract with sub-processors to the extent necessary Cloud Connection enables compliance with the provisions of this AVV.

7.3. Cloud Connection will inform the customer in advance in an appropriate manner if Cloud Connection after the entry into force of this AVV, engages new sub-processors or replaces existing ones in relation to existing services. If Customer does not object within thirty (30) days of the date of notice for important data protection reasons, the new or replaced sub-processor will be deemed approved.

7.4. If the sub-processing involves a transfer of personal data to a country outside the EU/EEA/Switzerland Cloud Connection sure, that Cloud Connection complies with the provisions of the EU GDPR (or similar provisions of the Swiss Data Protection Act) regarding the transfer of data to a third country (e.g. by selecting a sub-processor that is subject to the US-Swiss Privacy Shield or by including recognized standard contractual clauses for the transfer of personal data to processors in third countries).

8. Customer Obligations

8.1. The customer is responsible for the lawfulness of the processing of personal data, including the admissibility of order or sub-order processing.

8.2. The customer independently takes appropriate technical and organizational measures to protect personal hosting data within his area of responsibility (e.g. on his own systems and applications).

8.3. The customer undertakes to Cloud Connection to be informed immediately if the customer is in the provision of services Cloud Connection detects violations of applicable data protection laws.

9. Information and audit rights

9.1. Cloud Connection is obliged, upon written request, to provide the customer, free of charge, with all information that the customer reasonably requires to demonstrate compliance with this AVV to data subjects or data protection supervisory authorities.

9.2. Cloud Connection enables the customer or an auditor commissioned by the customer and obliged to maintain confidentiality to ensure compliance with this AVV Cloud Connection to consider. If the AVV is violated after appropriate evidence has been presented Cloud Connection Has been established Cloud Connection to implement appropriate corrective measures immediately and free of charge.

9.3. The customer's above information and audit rights only exist to the extent that the service contract does not grant the customer other information and audit rights that correspond to the relevant requirements of the applicable data protection laws. Furthermore, these information and audit rights are subject to the principle of proportionality and the protection of interests worthy of protection (in particular security or confidentiality interests). Cloud Connection. Unless otherwise agreed between the contracting parties, the customer bears all costs of information and testing, including proven internal costs of Cloud Connection.

10. Changes to this AVV

10.1. Cloud Connection reserves the right to change this AVV (a) if this is necessary to adapt to legal developments or (b) if this does not lead to a deterioration in the overall security of order processing and (at the discretion of Cloud Connection) does not have a significant negative impact on the rights of the persons affected by the order processing.

10.2. Cloud Connection informs the customer of any intended changes to this AVV in accordance with Section 10.1 no later than thirty (30) days before they come into effect. If the customer wishes to object to the change, he or she may terminate this DPA within thirty (30) days from the date of the DPA notice. Without objection within this period, the change is deemed to have been approved.

11. General provisions

11.1. In deviation from any written form reservations agreed in the service contract, this AVV can be agreed or changed electronically between the contracting parties.

11.2. If this AVV requires a written request or notification, it is sufficient (for notifications to the customer) to send an email to the customer's specified address or (for notifications to Cloud Connection) Email to the written form requirement.

11.3. Data protection terms such as “personal data”, “process”, “controller”, “processor”, “data protection impact assessment”, etc. have the meaning assigned to them in the EU GDPR or, depending on the context, in the Swiss Data Protection Act. “Data security breach” means “personal data breach”.

11.4. The contracting parties hereby submit to the choice of jurisdiction specified in the service contract for all disputes and claims arising from or in connection with this AVV.

11.5. Should one or more provisions of the AVV be or become ineffective or void, this will not affect the effectiveness of the remaining provisions. The ineffective or void provisions will be replaced by the provision that the contracting parties would have made in good faith and from an economic perspective if they had known of the defect at the time the AVV was concluded. The same applies in the event of any gaps in the AVV.


Last updated: November 2023