21. febrero 2025
Data Processing Agreement
as a supplement to the Terms of Service for Threema Work
between
Threema GmbH
Churerstrasse 82
8808 Pfäffikon SZ
(hereinafter “Threema”)
and
Customer (under the Terms of Service for Threema Work)
(hereinafter “Controller”; each a “Party”, collectively the “Parties”)
Recitals
Threema develops, supports and sells “Threema Work”, an internet-based, cross-platform service for the secure exchange of messages, voice and video communication between users. The data transmission required for this is partly routed via servers owned by Threema (hereinafter “Threema Servers”). Threema does not operate any network infrastructure itself.
Threema Work consists of several Software as a Service applications, namely the “Threema Work App” for end devices (e.g. mobile phones, tablets and PCs), the “Threema Work Management Cockpit” for managing users of the Threema Work App, “Threema Broadcast” for one-to-many communication with users and “Threema Gateway” for linking the Controller’s IT systems with Threema Work via an application programming interface (API).
All Threema Work applications are standard software whose functions and data security are continuously developed and improved by Threema. Over time, certain functions of Threema Work and the associated processing of personal data may be added, changed or removed.
One or more agreements, including the terms of service of Threema, have been concluded between Threema and the Controller for the use of one or more applications of Threema Work (hereinafter “Software License Agreements”). In addition to these Software License Agreements, the Parties conclude the present “Data Processing Agreement” in order to enable the Controller to use Threema Work in compliance with data protection regulations and to contractually mandate Threema with the processing of personal data.
Now, therefore, the Parties agree as follows:
Table of Contents
1. Applicable Data Protection Law and Supervisory Authority, Representative in the European Union and Data Protection Officer
2. Subject Matter of the Agreement
3. Instruction Right of the Controller
4. Obligations of the Controller
5. Obligations of Threema
6. Marketing with Existing Customers
7. Technical and Organizational Measures
8. Requests of Data Subjects
9. Control and Audit Rights of the Controller
10. Sub-Processors of Threema
11. Liability
12. Term of the Agreement
13. Final Provisions
1. Applicable Data Protection Law and Supervisory Authority, Representative in the European Union and Data Protection Officer
1.1. The provisions and terms of the Swiss Federal Act on Data Protection (Data Protection Act of September 25, 2020; SR 235.1; hereinafter “FADP”), the Swiss Ordinance on Data Protection (Data Protection Ordinance of August 31, 2022; SR 235.11; hereinafter “DPO”) and the privacy policies of Threema apply primarily to this Data Processing Agreement.
1.2. Mandatory provisions of the data protection law applicable to the Controller, in particular Regulation (EU) 2016/679 of April 27, 2016 (hereinafter “GDPR”), are taken into account insofar as they go beyond the obligations of Threema under Swiss data protection law.
1.3. The competent supervisory authority for Threema is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
1.4. Threema is represented in the European Union pursuant to Art. 27 GDPR by ACC Datenschutz UG, Messestrasse 6, 94036 Passau, Germany.
1.5. The data protection officer of Threema can be reached at privacy at threema dot ch.
2. Subject Matter of the Agreement
2.1. Threema grants the Controller the right to use the Software as a Service applications of its service Threema Work in accordance with the provisions of the Software License Agreements. Threema, its employees and any subcontracted processors (hereinafter “Sub-Processors”) receive access to personal data and process it exclusively on behalf of and in accordance with the instructions of the Controller.
2.2. The Controller is responsible for assessing the lawfulness of the data processing.
2.3. Details of the categories of personal data processed, data subjects, processing purposes and storage periods can be found under Annex 1 to this Data Processing Agreement.
2.4. If Threema plans to introduce new functions for the Threema Work applications that result in a change to Annex 1, it will notify the Controller of this at least one month in advance in electronic text form (e.g. via the Threema Work Management Cockpit) and provide it with an updated version of Annex 1. Subject to this notification period, Threema may unilaterally amend Annex 1, provided that there is no change in the processing purposes.
2.5. For all essential functions of the Threema Work applications, Threema processes personal data exclusively on the Threema Servers in data centers located in Switzerland. Information on the Sub-Processors of Threema can be found under Annex 3 to this Data Processing Agreement.
2.6. The Parties declare this Data Processing Agreement to be an integral part of their Software License Agreements. In the event of inconsistencies between the Software License Agreements and the Data Processing Agreement, the provisions of the Data Processing Agreement take precedence.
3. Instruction Right of the Controller
3.1. This Data Processing Agreement sets out the Controller’s initial instructions to Threema with regard to the processing of personal data and, together with the Software License Agreements, forms the framework for subsequent instructions to amend, supplement or revoke them.
3.2. The Controller will primarily exercise its right to issue instructions directly and independently via the Threema Work applications, which provide it with functions for their configuration and the associated processing of personal data, including the entry, change, rectification and deletion of personal data.
3.3. Instructions regarding the processing of personal data by Threema, which cannot be issued by the Controller via the configuration of the Threema Work applications, must be issued by the Controller to Threema in writing or in an electronic text format (e.g. Threema messages to the Threema ID «*PRIVACY» or emails to privacy at threema dot ch).
3.4. Threema will inform the Controller if it is of the opinion that an instruction is in breach of applicable laws. Threema may then postpone the implementation of this instruction until the suspected breach of the law has been disproven by the Controller or the instruction has been amended in accordance with the law. In the event of obvious illegality, Threema may refuse to implement an instruction.
3.5. Threema will inform the Controller if an instruction cannot be technically implemented. For such a situation, the Parties hereby agree to work together in good faith to find a solution that comes closest to the objective that was associated with the technically unenforceable instruction.
4. Obligations of the Controller
4.1. The Controller will ensure to only provide Threema with personal data to process which it is permitted to process itself in accordance with the principles of the applicable data protection law and which is not subject to any statutory or contractual confidentiality obligations that preclude processing by Threema on behalf of the Controller.
4.2. When the Controller enters personal data in Threema Work, the entry of which is voluntary and optional for the use of Threema Work, the Controller undertakes to enter only such personal data in Threema Work and thus have it processed by Threema on behalf of the Controller, for the security of which the technical and organizational measures (“TOM”) implemented by Threema in accordance with Annex 2 to this Data Processing Agreement ensure an appropriate level of data security, whereby the assessment of appropriateness is the responsibility of the Controller.
5. Obligations of Threema
5.1. Threema undertakes to process personal data only within the scope of its mandate in accordance with this Data Processing Agreement and the instructions of the Controller. Threema hereby expressly excludes the sale, lease or other commercialization of the Controller’s personal data.
5.2. Threema is subject to the professional confidentiality obligation of the FADP and warrants that its employees and any Sub-Processors are also obliged by statutory or contractual provisions to maintain confidentiality when processing personal data. This obligation will continue to apply even after termination of the corresponding contractual relationships.
5.3. Threema will inform the Controller if it is required to process personal data beyond the scope of this Data Processing Agreement due to statutory provisions or official orders from authorities, provided it is legally permitted to do so. If appropriate and necessary for the protection of personal data, Threema will inform authorities during a legal procedure that personal data affected by the legal procedure is being processed on behalf of the Controller.
6. Marketing with Existing Customers
6.1. As part of its marketing with existing customers, Threema informs the Controller about new functions of the Threema Work Management Cockpit and the other Threema Work applications via the so-called “Product Updates”. These are sent by e-mail to administrators of the Threema Work Management Cockpit, which results in the e-mail addresses of the administrators registered by the Controller being processed.
6.2. The Product Updates are sent without prior consent on the basis of the existing customer privilege. Administrators of the Controller may unsubscribe from the Product Updates at any time directly via the Threema Work Management Cockpit.
7. Technical and Organizational Measures
7.1. Threema undertakes, taking into account financial and technical feasibility, to ensure the security of the personal data processed by Threema on behalf of the Controller by means of suitable TOMs in accordance with the current state of the art and to review their effectiveness on a regular basis. In particular, Threema takes measures to ensure the confidentiality, integrity and availability of its IT systems and the Threema Work applications in connection with the processing of personal data.
7.2. A list of the TOMs implemented by Threema (“TOM List”) can be found in Annex 2 to this Data Processing Agreement.
7.3. If Threema plans to change the TOMs implemented in accordance with Annex 2, it will notify the Controller of this at least one month in advance in electronic text form (e.g. via the Threema Work Management Cockpit) and provide it with an updated version of Annex 2. Subject to this notification period, Threema may unilaterally amend the TOMs implemented in accordance with Annex 2, provided this serves to maintain or improve data security.
7.4. Threema will inform the Controller immediately if it becomes aware of any data security breaches and discovers that personal data processed on behalf of the Controller is affected. In such cases, Threema will take the necessary immediate measures to secure the personal data in order to mitigate possible negative consequences for the data subjects, coordinate its further actions with the Controller and support the Controller in fulfilling any reporting obligations to data subjects and authorities.
8. Requests of Data Subjects
8.1. The fulfillment of data protection claims of data subjects (e.g. rectification, deletion or information) is the responsibility of the Controller.
8.2. If a data subject contacts Threema with data protection claims, it will immediately refer the data subject to the Controller and forward their request, provided that an attribution to the Controller is possible.
8.3. Threema will support the Controller in the fulfillment of data protection claims of data subjects within the scope of its possibilities. This support is to be remunerated to Threema by the Controller.
8.4. Threema is not liable if the forwarded request of a data subject is not answered, not answered correctly or not answered on time by the Controller.
8.5. To facilitate the exercise of the right to information, Threema offers users of the Threema Work App the option of independently obtaining information about their personal data stored by Threema at any time by sending the text message “info” to the Threema ID “*MY3DATA”.
9. Control and Audit Rights of the Controller
9.1. If necessary, Threema will provide the Controller with proof of compliance with the obligations agreed in this Data Processing Agreement, in particular data security measures, by suitable means, in particular with the aid of the following supporting documents:
Cryptography whitepaper, current TOM List, audit reports on data protection and data security as well as the source code of the Threema Work applications.
9.2. The Controller hereby declares that the supporting documents listed in Clause 9.1. hereinabove are generally sufficient to ensure that Threema fulfills its obligations, in particular with regard to data security.
9.3. In addition, the Controller has the right to have the compliance with the agreed obligations audited by an employed or externally commissioned auditor. If the Controller plans to commission an external auditor who is in a competitive relationship with Threema, Threema may object to the commissioning of this auditor.
9.4. Audits by the Controller are generally limited to one date per calendar year and must be substantiated for their proper planning and performance. For organizational and security reasons, Threema may limit audits in the context of which the auditor wishes to inspect the data centers to certain dates in the calendar year.
9.5. Threema may subject audits to the fulfillment of the following conditions by the Controller:
9.5.1. Advance notification of the audit of at least one month by the Controller;
9.5.2. Performance of the audit during Threema’s normal business hours, avoiding disruptions to business operations as far as possible;
9.5.3. Signing of a non-disclosure agreement by the auditor, in particular with regard to business secrets and the specific implementations of TOMs;
9.5.4. Proof of appropriate professional qualifications of the auditor.
9.6. The expenses for audits, in particular for those employees of Threema who support and accompany the auditor, are to be reimbursed to Threema by the Controller.
10. Sub-Processors of Threema
10.1. The Controller hereby consents to the processing of personal data by the contractual partners of Threema named under Annex 3 to this Data Processing Agreement as Sub-Processors.
10.2. The Controller may independently deactivate the functions that require the use of Sub-Processors at any time by configuring the Threema Work applications accordingly, as described in Annex 3.
10.3. New Sub-Processors must be notified to the Controller at least one month in advance in electronic text form (e.g. via the Threema Work Management Cockpit), with the notification containing at least the information under Annex 3.
10.4. New Sub-Processors will be deemed approved by the Controller if the Controller does not object within two weeks of notification by Threema (e-mail to privacy at threema dot ch sufficient). The Controller must substantiate its objection. If the right of objection is not exercised, Threema will provide the Controller with an updated version of Annex 3.
10.5. If the right of objection pursuant to Clause 10.4. hereinabove is exercised and Threema is unable to offer the Controller a configuration option for the Threema Work applications in order to exclude the use of the new Sub-Processor, the Controller will have an extraordinary right to terminate both this Data Processing Agreement and the Software License Agreements without notice. Usage fees already paid will not be refunded in full or pro rata, unless they have been prepaid for a contract year not yet commenced at the time of termination.
10.6. An approval requirement for contractual partners of Threema as Sub-Processors only exists if Threema commissions these contractual partners with the provision of functions of the Threema Work applications and the core activity consists of the processing of personal data. No approval requirement exists for contractual partners of Threema whose activity consists merely in the provision of subordinate ancillary services and whose core activity does not consist in the processing of personal data (e.g. pure infrastructure provision or telecommunications services).
11. Liability
The limitations of liability of the Software License Agreements apply between the Parties.
12. Term of the Agreement
12.1. The Data Processing Agreement comes into force at the time of activation of Threema Work for the Controller by Threema and is concluded for a term of one year. Unless terminated, the contract term will be automatically renewed for an additional year at a time.
12.2. Both Parties may terminate this Data Processing Agreement in writing at any time at the end of the annual term, subject to a notice period of three months. Upon termination of the Software License Agreements, this Data Processing Agreement will also end automatically.
12.3. The Data Processing Agreement will continue to apply beyond its term as long as Threema is in possession of personal data that it has processed on behalf of the Controller. Personal data that has not already been deleted in accordance with the storage periods specified in Annex 1 will be returned to the Controller or deleted at the Controller’s discretion. The statutory retention obligations of Threema remain reserved, in particular with regard to the retention of accounting records.
12.4. Provisions of this Data Processing Agreement or of the applicable data protection law that result in obligations for the Parties beyond the duration of the Data Processing Agreement will continue to apply beyond the end of the same.
13. Final Provisions
13.1. This Data Processing Agreement with its Annexes constitutes the entire agreement between the Parties and supersedes all previous agreements between the Parties with regard to its subject matter pursuant to Clause 2. hereinabove.
13.2. The following Annexes are attached to and form an integral part of this Data Processing Agreement:
13.2.2. Annex 2 – List of Technical and Organizational Measures (TOM);
13.2.3. Annex 3 – List of Sub-Processors.
13.3. Should any provision of this Data Processing Agreement be or become invalid or unenforceable, the remaining provisions of this Data Processing Agreement will remain unaffected. The Parties agree to replace the invalid or unenforceable provision by a valid and enforceable provision which, in the view of the Parties, comes as close as possible to the economic and data protection purpose of the invalid or unenforceable provision. Any gap in the Data Protection Agreement will be closed in a corresponding manner.
13.4. Threema may amend and/or supplement the provisions of this Data Processing Agreement from time to time. The Controller will be informed in advance of such amendments in the Threema Work Management Cockpit. Unless the Controller objects (e-mail to privacy at threema dot ch sufficient), the amended Data Processing Agreement will be deemed accepted after a period of 30 (in words: thirty) days. The amendment rights of Threema in relation to Annex 1 (Clause 2.4. hereinabove), Annex 2 (Clause 7.3. hereinabove) and Annex 3 (Clauses 10.3. to 10.5. hereinabove) remain reserved.
13.5. Unless otherwise agreed hereinabove, all amendments and supplements to this Data Processing Agreement must be made in writing to be legally effective. This also applies to this written form clause.
13.6. Subject to mandatory provisions of the applicable data protection law, this Data Processing Agreement is governed by Swiss law.
13.7. Subject to mandatory places of jurisdiction under the applicable data protection law, the exclusive place of jurisdiction for all legal disputes arising from or in connection with this Data Processing Agreement is the registered office of Threema in Pfäffikon SZ (municipality of Freienbach).
13.8. In the event of inconsistencies between the German and English version of this Data Processing Agreement, the German version will prevail.