Appendix III: Data Protection

For the purposes of this clause, the terms “Data Subjects“, “Controller” “Personal Data“, “Process“, “Processing“, “Processor“, shall have the meaning given in Regulation (EU) 2016/679 (“GDPR“).

As part of the services provided by P.Baltensperger Consulting GmbH to the Company under this Agreement, the Parties acknowledge that each Party may provide or make available to the other Party Personal Data (“Relevant Personal Data“). Each Party shall Process Relevant Personal Data as an independent Controller (not as a joint Controller).

When Processing Relevant Personal Data, each Party shall comply with its obligations under this clause and any and all applicable privacy and data protection laws and regulations, including, GDPR and any national data protection laws made under or pursuant to GDPR (“Applicable Data Protection Laws“). Neither Party shall be responsible for the other Party’s compliance with the Applicable Data Protection Laws.

Each Party shall ensure, that the Processing of Relevant Personal Data by it, and its Processors, is lawful, fair and transparent at all times, and is only Processed for the purposes as described in this Agreement and/or as may be otherwise required under Applicable Data Protection Laws.

The Parties furthermore agree:

• to observe data secrecy and to maintain confidentiality of the Relevant Personal Data;
• to only permit access to Relevant Personal Data by employees, who are properly instructed, adequately trained on data protection compliance, and who are subject to  confidentiality undertakings or are otherwise subject to professional or statutory obligations of confidentiality;
• not to transfer Relevant Personal Data to any other related or unrelated third party, unless such third party is under binding obligations no less stringent than those contained in this clause and subject always to compliance with Applicable Data Protection Laws;
• to only transfer Relevant Personal Data from within the European Economic Area (“EEA“) or Switzerland to any recipient located outside the EEA or Switzerland, or to any international organization, subject to compliance with Applicable Data Protection Laws, and, where applicable, implementation of an appropriate safeguard, as required under the GDPR;
• to send to the other Party detailed written notice without undue delay: (i) of discovering any accidental or unlawful destruction, loss, alteration,  or unauthorized disclosure of, or access to, Relevant Personal Data; or (ii) of any other violation of Applicable Data Protection Laws or this clause as it relates to the Processing of Relevant Personal Data (“Security Breach“). The notice shall include a description of (a) the nature of the Security Breach; (b) the likely consequences; and (c) the measures taken or proposed to be taken to address the Security Breach; and
• if and to the extent required under Applicable Data Protection Laws, to only appoint a Processor to Process any Relevant Personal Data where:
• aten nur dann hinzuzuziehen, wenn:

o    such Processor has provided sufficient written guarantees confirming that:

–    it shall only Process the Relevant Personal Data in accordance with the instructions of the Controller; and

–    git has implemented appropriate technical and organisational security measures to prevent unauthorised or unlawful Processing of Relevant Personal Data and protect against accidental loss or destruction of, or damage to, Relevant Personal Data;

o    either Party, in its capacity as Controller, has put in place an appropriate binding written contract with the Processor, in accordance with the requirements of Applicable Data Protection Laws, including all mandatory contractual provisions required by such Applicable Data Protection Laws.

If required under the Applicable Data Protection Laws, each Party will retain Relevant Personal Data received from the other Party only for as long as it is necessary in connection with the purposes set out in this Agreement, or as necessary to comply with its obligations under applicable law, subject to mandatory data retention requirements and Applicable Data Protection Laws.

Within the scope of their respective Processing of Relevant Personal Data, Parties shall provide the concerned Data Subjects with all necessary information under Applicable Data Protection Laws and, if required, obtain the relevant Data Subjects’ consent to the respective Processing as part of the performance of the services under this Agreement. In the event that either Party receives: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Laws; or (ii) any other correspondence, enquiry or complaint from a Data Subject, regulator or other third party in connection with the Processing of Relevant Personal Data (collectively, “Correspondence“), then where such Correspondence relates to Processing conducted by the other Party, it shall promptly inform the other Party, and the Parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Data Protection Laws.