Connect-i’s Processor Binding Corporate Rules for the Processing of Personal Data

Revision: February 2024

1. Introduction

Connect-i Sàrl and its affiliates are committed to achieving and maintaining customer trust. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters.

In accordance with the General Data Protection Regulation and, as applicable, the Swiss Data Protection Laws and Regulations, the Connect-i Processor BCR (as defined below) is intended to provide an adequate level of protection for Personal Data during international transfers to Sub-Processors made on behalf of Customers and under their instructions.

2. Definitions

Controller means the entity which determines the purposes and the means of the processing of Personal Data.

Customer(s) means (i) a legal entity with whom Connect-i has executed a contract to provide the Services (or a legal entity placing an order under such contract) and such contract incorporates by reference the Connect-i Processor BCR or (ii) a legal entity with whom Connect-i has executed a contract under which the legal entity is entitled to resell the Services to its end customers and such contract incorporates by reference the Connect-i Processor BCR.

Data Subject means the identified or identifiable person to whom Personal Data relates.

General Data Protection Regulation or GDPR means European Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing European Directive 95/46/EC.

Personal Data means any information relating to (i) an identified or identifiable natural person; and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under Swiss Data Protection Laws and Regulations).

Processor means the entity which processes Personal Data on behalf of the Controller.

Opigno means a product developed by Connect-i under the registered trademark Opigno®.

Connect-i means the Connect-i Sarl company, a Swiss limited liability company having its registered address at Tresi 6C, 1028 Préverenges (VD), VAT / Fiscal code n. CHE-114.078.026.

Connect-i Processor BCR means Connect-i’s Processor Binding Corporate Rules for the Processing of Personal Data.

Services means the online services provided to Customer by Connect-i, including Opigno cloud solution.

Sub-processor means any Processor engaged by Connect-i.

Supervisory Authority means an independent public authority which is established by an EU member state pursuant to Article 51 of the GDPR, and/or, as applicable, the Swiss data protection authority established under the Swiss Data Protection Laws and Regulations.

Swiss Data Protection Laws and Regulations means the Swiss Federal Data Protection Act 1992 and its successor laws.

3. Scope and Application

The purpose of the Connect-i Processor BCR is to govern international transfers of Personal Data to third-party Sub-processors (in accordance with written agreements with any such third-party Sub-processors) when acting as Processors and/or Sub-processors on behalf and under the documented instructions of Customers.

The Connect-i Processor BCR applies to Personal Data submitted to the Services by:

  • Customers established in an EEA member state or Switzerland whose processing activities for the relevant data are governed by the GDPR or, as applicable, by the Swiss Data Protection Laws and Regulations; or
  • Customers established in non-EEA member states for which the customer has contractually specified that the GDPR and implementing national legislation shall apply.

Connect-i may update the Connect-i Processor BCR.

When the changes to the Connect-i Processor BCR affect the processing conditions, Connect-i shall inform the Customer in such a timely fashion that Customer has the possibility to object to the change or to terminate the contract before the modification is made.

The categories of Personal Data, the types of processing and its purposes, the types of Data Subjects affected and the identification of the recipients in the third countries are set out in Section 5 below.

It shall be the responsibility of a Customer to apply the Connect-i Processor BCR to:

  • All Personal Data processed for processor activities and that are submitted to EU and, as applicable, Swiss law; or
  • All processing of Personal Data for processor activities within Connect-i whatever the origin of the data.

4. Responsibilities Towards Customers

A. General Obligations

Connect-i and its employees shall comply with the Connect-i Processor BCR, process Personal Data only upon a Customer’s documented instruction and shall have a duty to respect Customer’s instructions regarding the data processing and the security and confidentiality of Personal Data, pursuant to the measures provided in the contracts executed with Customers.

Connect-i shall immediately inform the Customer if in its opinion an instruction infringes the GDPR or other EU or EU member state law or, as applicable, Swiss data protection provisions.

B. Transparency, Fairness, Lawfulness and Cooperation with Customers

Connect-i undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation and assistance within a reasonable period of time to help facilitate their respective data protection obligations regarding Personal Data, to the extent Customer, in its use of the Services, does not have the reasonable ability to address such obligations.

C. Data Subject Rights

Connect-i acts as Processors on behalf of Customers. As between Connect-i and Customers, Customers have the primary responsibility for interacting with Data Subjects, and the role of Connect-i is generally limited to assisting Customers as needed.

i. Data Subject Requests

Connect-i shall promptly notify Customer if Connect-i receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the processing, Connect-i shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the GDPR or, as applicable, an equivalent obligation under Swiss Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Connect-i shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under the GDPR or, as applicable, an equivalent obligation under Swiss Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Connect-i’s provision of such assistance.

ii. Handling of Complaints

Connect-i shall be responsible for handling complaints related to compliance with the Connect-i Processor BCR.

Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the Connect-i Processor BCR by contacting the relevant Customer or Connect-i at the email address [email protected]. Connect-i shall without undue delay communicate the complaint to the Customer to whom the Personal Data relates without obligation to handle it (except if it has been agreed otherwise with Customer). 

Customers shall be responsible for responding to all Data Subject complaints forwarded by Connect-i except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where Connect-i is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within one (1) month, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant Supervisory Authority). Taking into account the complexity and number of requests, this period of one (1) month can be extended by two (2) further months in which case Connect-i will inform the Data Subjects accordingly.

D. Regulatory Inquiries and Complaints

Connect-i shall, to the extent legally permitted, promptly notify a Customer if Connect-i receives an inquiry or complaint from a Supervisory Authority in which that Customer is specifically named. Upon a Customer’s request, Connect-i shall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving Connect-i’s processing of Personal Data.

E. Data Protection Impact Assessments

Upon Customer’s request, Connect-i shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR (or, as applicable, under the Swiss Data Protection Laws and Regulations) to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Connect-i. Connect-i shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 4 E. of the Connect-i Processor BCR to the extent required under the GDPR (or, as applicable, under the Swiss Data Protection Laws and Regulations).

F. Records of Processing Activities

As required by data protection laws and regulations, Connect-i shall maintain a record of all categories of processing activities carried out on behalf of each Customer.

5. Description of Processing Operations and Transfers

A. Purpose Limitation

Connect-i shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) processing in accordance with a Customer’s instructions set forth in the Customer’s contract with Connect-i including with regard to transfers of personal data to a third country (unless Connect-i is legally required to do so by EU or EU member state law, or, as applicable, Swiss law, in which case prior information will be provided by Connect-i to Customer unless such information is legally prohibited); and (ii) processing initiated by the Customer in its use of the Services. If Connect-i cannot comply with such purpose limitation, Connect-i shall promptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer of Personal Data and/or terminate the applicable order form(s) in respect to only those Services which cannot be provided by Connect-i in accordance with such Customer’s instructions. On the termination of the provision of such Services, Connect-i and third-party Sub-processors shall, at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer contract and upon request from Customer, Connect-i shall certify that it has done so. The only exception to this is if the law applicable to Connect-i and its third-party Sub-processors requires Connect-i and its third-party Sub-processors to retain the data that has been transferred in which case Connect-i will inform the Customer and warrant that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.

B. Nature of Personal Data Processed

The Connect-i Processor BCR will apply to Personal Data submitted by Customers to the Services. Connect-i’s Customers determine what Personal Data, if any, is submitted to the Services under the conditions set out in the contract.

The following types of Personal Data are oftentimes submitted to the Services.

  • First name
  • Last name
  • User name
  • Email address (professional or private)
  • Role
  • Language
  • Career path
  • Results (answers and scores resulting from questionnaires)
  • Internal messages (if functionality activated)

 These types of Personal Data oftentimes relate to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services

Customers are allowed to submit sensitive personal data or special categories of Personal Data to some Services under the conditions set out in the contract.

C. Affected Data Subjects

Connect-i does not choose or determine the categories of Data Subjects that relate to the Personal Data submitted to the Services. Connect-i’s Customers solely determine the Data Subjects whose Personal Data is submitted to the Services.

D. Countries of location of Connect-i Affiliate Sub-processors

The countries where the Connect-i affiliate Sub-processors of Personal Data are located are listed in the Infrastructure and Sub-processor documentation.

E. Data Quality

Customers have access to, and control of, Personal Data in their use of the Services. To the extent a Customer, in its use of the Services, does not have the ability to anonymize, correct, amend, update or delete Personal Data, as required by applicable laws, Connect-i shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent Connect-i is legally permitted to do so. If any such anonymization, correction, amendment, update or deletion request is applicable to a third-party Sub-processor’s processing of Personal Data, Connect-i shall communicate such request to the applicable third-party Sub-processor(s).

F. Sub-processing by Third Parties

As set forth in applicable contracts with Customers, Connect-i may retain third-party Sub-processors, and depending on the location of the third-party Sub-processor, processing of Personal Data by such Sub-processors may involve transfers of Personal Data. Such third-party Sub-processors shall process Personal Data only: (i) in accordance with the Customer’s instructions set forth in the Customer’s contract with Connect-i; or (ii) if processing is initiated by the Customer in its use of the Services. The current list of third-party Sub-processors engaged in processing Personal Data, including a description of their processing activities, is available in the Infrastructure and Sub-processor documentation. Such third-party Sub-processors have entered into written agreements with Connect-i in accordance with the applicable requirements of Articles 28, 29, 32, 45, 46 and 47 of the GDPR, or, as applicable, corresponding provisions of the Swiss Data Protection Laws and Regulations, as well as the relevant sections of the Connect-i Processor BCR as applicable to the third-party Sub-processor’s processing activities. 

i. Notification of New Sub-processors and Objection Rights

As set forth in applicable contracts with Customers, Connect-i shall provide Customers with prior notification before a new Sub-processor begins processing Personal Data. Within thirty (30) days of receiving such notice, a Customer may object to Connect-i’s use of a new Sub-processor by notifying Connect-i in accordance with the provisions set forth in the Customer’s contract. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Connect-i will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Connect-i is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable order form(s) with respect only to those Services which cannot be provided by Connect-i without the use of the objected-to new Sub-processor by providing written notice to Connect-i. Connect-i will refund Customer any prepaid fees covering the remainder of the term of such order form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

6. Confidentiality and Security Measures

A. Confidentiality and Training

Connect-i shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and have received appropriate training on their responsibilities. Additionally, Connect-i shall ensure that its personnel responsible for the development of the tools used to process Personal Data have received appropriate training on their responsibilities. Connect-i shall also ensure that its personnel engaged in the processing of Personal Data are limited to those personnel who require such access to perform the Connect-i’s obligations under applicable contracts with Customers.

B. Data Security

Connect-i shall maintain appropriate administrative, technical and physical measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in applicable contracts with Customers. Connect-i shall implement technical and organizational measures which at least meet the requirements of the GDPR or, as applicable, Swiss Data Protection Laws and Regulations and any existing particular measure specified in the contract with the Customer. Connect-i regularly monitors compliance with these measures. Connect-i will not materially decrease the overall security of the Services during a Customer’s applicable subscription term.

C. Personal Data Incident Management and Notification

In the event Connect-i becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise processed by Connect-i or its Sub-processors (a “Personal Data Incident”) Connect-i will without undue delay after becoming aware notify affected Customers. Connect-i shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Connect-i deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Connect-i’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users.

D. Audits

Connect-i shall maintain an audit program to help ensure compliance with the Connect-i Processor BCR, including the following internal verification and audits by Customers. The audit program covers all aspects of the Connect-i Processor BCR, including methods for ensuring non-compliance is addressed. 

i.   Network of Privacy Personnel and Internal Verification

Connect-i shall conduct an annual assessment of Connect-i’s compliance with the Connect-i Processor BCR, which is provided to the Connect-i’s board of directors. Such an assessment shall include any necessary corrective actions, timeframes for completing such corrective actions, and follow up to ensure such corrective actions have been completed.

ii.  Customer Audits

Upon a Customer’s written request, and subject to appropriate confidentiality obligations, Connect-i shall make available to the Customer (or such Customer’s independent, third-party auditor that is  not a competitor of Connect-i) information regarding Connect-i’s and third-party Sub-processors’ compliance with the data protection controls set forth in this Connect-i Processor BCR.

With respect to Connect-i’s compliance with the data protection controls set forth in the Connect-i Processor BCR, Connect-i shall make available third-party certifications and audits set forth in the contract to the extent Connect-i makes them generally available to its customers.

With respect to third-party Sub-processors’ compliance with the data protection controls set forth in the Connect-i Processor BCR, Connect-i shall provide the requesting Customer a report of Connect-i’s audits of third-party Sub-processors and/or a report of third party auditors’ audits of third-party Sub-processors that will have been provided by those third-party Sub-processors to Connect-i.

Customer acknowledges and agrees to exercise its audit right by hereby instructing Connect-i and Connect-i’s third party Sub-processors to carry out the audit as described in this Section 6.D (ii).

Customer has the right to change at any moment its instruction regarding the exercise of its audit right by sending Connect-i a notice in writing.

If Customer changes its instruction and thereby requests to exercise its audit right directly, Customer shall reimburse Connect-i for any time expended by Connect-i or its third-party Sub-processors for any on-site audit carried out by the Customer. Before any such on-site audit commences, the requesting Customer and Connect-i or its third party Sub-processors as appropriate shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Connect-i or its third-party Sub-processors.

As set forth in applicable contracts with Customers, a Customer who performs an audit in accordance with this Section must promptly provide Connect-i with information regarding any non-compliance discovered during the course of an audit.

Nothing in this Section affects any Supervisory Authority’s or Data Subject’s rights under the Connect-i Processor BCR.

7. Liability and Enforcement

Connect-i’s contracts with Customers shall include a reference to the Connect-i Processor BCR and the Connect-i Processor BCR shall form part of those contracts. These contracts shall comply with Article 28 of the GDPR.

8. Cooperation with Supervisory Authorities

Connect-i shall cooperate with Supervisory Authorities with jurisdiction over Connect-i or competent for Customers, reply to any requests they make within a reasonable time frame and abide by the advice and recommendations of the relevant EU member state regarding the interpretation and application of the Connect-i Processor BCR.

9. Local Law Requirements

As set forth in applicable contracts with Customers, Connect-i shall comply with applicable law in its processing of Personal Data. Where applicable law requires a higher level of protection for Personal Data than provided for in the Connect-i Processor BCR, the local applicable law shall take precedence.

Where Connect-i reasonably believes that applicable existing or future enacted or enforceable law prevents it from fulfilling its obligations under the Connect-i Processor BCR or the instructions of a Customer, it shall promptly notify the affected Customers, the Supervisory Authority competent for the Customer and the Supervisory Authority competent for Connect-i. In such a case, Connect-i shall use reasonable efforts to make available to the affected Customers a change in the Services or recommend a commercially reasonable change to the Customers’ configuration or use of the Services to facilitate compliance with applicable law without unreasonably burdening Customers. If Connect-i is unable to make available such change within a reasonable period of time, Customers may terminate the applicable order form(s) in respect to only those Services which cannot be provided by Connect-i in accordance with applicable law by providing written notice to Connect-i. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

In accordance with applicable contracts with Customers, Connect-i shall communicate any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body to the impacted Customer unless Connect-i is prohibited by law from providing such notification.

To the extent Connect-i is prohibited by law from providing such notification, Connect-i shall: (i) review each request on a case-by-case basis; (ii) use best efforts to request that the confidentiality requirement be waived to enable Connect-i to notify the appropriate Supervisory Authority competent for the Customer and the CNIL in its capacity as competent Supervisory Authority for the Connect-i Processor BCR; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.

10. Connect-i Processor BCR and Applicable Law

Where national law applicable to Connect-i requires a higher level of protection for Personal Data than what is set out in the Connect-i Processor BCR, then that national applicable law will take precedence over the Connect-i Processor BCR.

In any event Connect-i shall process Personal Data in accordance with the Swiss law.