Skin Match Technology Switzerland AG (hereinafter “we”, “us” or “SMT”) offers software solutions for commercial users operating in the beauty industry, such as department stores, online stores, pharmacies, beauty brands etc. (hereinafter “you”), whereby it acts as a data aggregator and market research platform for cosmetics companies and a resource for customers (end users) to find suitable products and product information.
This Data Protection Addendum (“Addendum”) amends the SMT Terms of Service (the “Agreement”) by and between you and Skin Match Technology Switzerland AG, General-Wille Strasse 18, 8002 Zurich, Switzerland (“SMT”).
The services offered by SMT under the Terms of Service available at https://getskinmatch.com/legal/terms include various services to help you sell goods and services to your customers (“Customer”). Any such services offered by SMT are referred to in the Data Protection Addendum as the “Services”. Any new features or tools which are added to the current Services shall be also subject to the Data Protection Addendum, if applicable.
This Data Protection Addendum determines SMT‘s and your responsibilities for compliance with the obligations under the GDPR with regard to Processing and Controlling Customer Data. They apply to all activities in which the Parties, their employees or their Processors are involved in the Processing or Controlling of Data.
“Customer” means any individual that uses our services on the Licensee Store or Website (end Customer) and saves their profile or signs up to an SMT account “Account” to use the services.
“Services” means the SMT hosted tools available via www.getskimatch.com, skin-match.com and skinmatchapp.com and any associated websites, products or services offered by SMT.
"Applicable Data Protection Law" refers to all laws and regulations applicable to SMT’s processing of personal data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) ("GDPR").
“Controller", "Processor", "Data subject", "Personal data", and"Processing" (and"Process") have the meanings given in accordance with GDPR.
"Customer Account Data" means personal data that relates to Customer’s direct relationship with SMT, including the names and email of individuals authorized by the Customer to access Customer’s account or profile data.
"Security Incident" means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
1.1 SMT as a Controller of Customer Data
The parties acknowledge that, with regard to the processing of Customer Data, you are a controller and SMT is a processor in terms of collecting the data and allowing you to export the data and also an independent controller, not a joint controller.
You are responsible for ensuring that (a) you have complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and your own processing of personal data and (b) you have, and will continue to have, the right to export the personal data from SMT for processing in accordance with the terms of the Agreement and this Addendum.
You appoint SMT as a processor to process Customer Data on behalf of, and in accordance with, your instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer as necessary to comply with applicable law; and (c) as otherwise agreed in writing by the parties (“Permitted Purposes”).
5 Lawfulness of Instructions
You will ensure that the instructions comply with Applicable Data Protection Law. You acknowledge that SMT is not responsible for determining which laws are applicable to your business nor whether SMT’s provision of the Services meets or will meet the requirements of such laws. You will ensure that SMT’s processing of Customer Data, when done in accordance with Customer’s instructions, will not cause SMT to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. SMT will inform you if it becomes aware or reasonably believes that your data processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
5.1 Additional Instructions
Additional instructions outside the scope of the Agreement, an Order Form, or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by you to SMT for carrying out those instructions.
6.1 Responding to Third Party Requests
In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory authority, or third party is made directly to SMT in connection with SMT’s processing of Customer Data, SMT will promptly inform you and provide details of the same, to the extent legally permitted.
6.2 Confidentiality Obligations of SMT Personnel
SMT will ensure that any person it authorizes to process the Customer Data has agreed to protect personal data in accordance with SMT's confidentiality obligations under the Agreement.
7 SMT Services
As part of the SMT Services, SMT provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Data, which may be used by you to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the SMT Services at no additional cost. In addition, upon your request, SMT will provide reasonable additional and timely assistance (at your expense only if complying with the your request will require SMT to assign significant resources to that effort) to assist you in complying with data protection obligations with respect to data subject rights under Applicable Data Protection Law.
SMT will provide reasonable cooperation in connection with any data protection impact assessment (at your expense only if such reasonable cooperation will require SMT to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
SMT will delete or return to Customer any Customer Data stored in the Services if requested by Customer directly.
10 Extension of Addendum
10.2 Retention Required by Law Notwithstanding anything to the contrary, SMT may retain Customer Data or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
11.1 Security Measures
SMT has implemented and will maintain the technical and organizational measures to protect personal data from a Security Incident.
11.2 Security Incident Notification
SMT will provide notification of a Security Incident in the following manner:
a. SMT will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after, SMT’s confirmation or reasonable suspicion of a Security Incident impacting Customer Data of which SMT is a processor;
b. SMT will, to the extent permitted and required by applicable law, notify you without undue delay of any Security Incident involving Customer Data of which SMT is a controller; and
c. SMT will notify the email address of Customer’s account owner.
SMT will make reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by SMT, remediate the cause of such Security Incident. SMT will provide reasonable assistance to in the event that you are required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.
The parties acknowledge that you must be able to assess SMT’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as SMT is acting as a processor on behalf of you while collecting the data for you.
To the extent that Customer’s use of the Services requires transfer of personal data out of the European Economic Area ("EEA"), Switzerland then you will take such measures as are necessary to ensure the export is in compliance with Applicable Data Protection Law.
In the event that either party receives: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator or other third party, (collectively, "Correspondence") then, where such Correspondence relates to processing of Customer Account Data, Customer Profile Data or Customer Usage Data conducted by the other party, it will promptly inform such other party and the parties agree to cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Applicable Data Protection Law.
You acknowledge that SMT, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Usage Data. If the regulatory authority requires SMT to notify impacted data subjects with whom SMT does not have a direct relationship (e.g., your end users), SMT will notify you of this requirement. You will provide reasonable assistance to SMT to notify the impacted data subjects.
Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement’s termination provisions.
SMT may update the terms of this Addendum from time to time; provided, however, SMT will provide at least thirty (30) days prior written notice to you when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://getskinmatch.com/legal/dpa.
SMT will process Customer Account Data and Profile Data as a controller (a) in order to manage the relationship with Customer; (b) carry out SMT’s business operations, such as product recommendations; and (c) in order to detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of the Services.
SMT will process Customer Usage Data as a controller in order to carry out the necessary functions as a (a) product recommendation service provider; (b) to provide, optimize, and maintain the Services and platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; and/or (d) as required by applicable law.
The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the Canton of Zurich and the laws of Switzerland applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Canton of Zurich, Switzerland with respect to any dispute or claim arising out of or in connection with this Addendum.
If you have any questions about these Addendum or the use of our Services, please contact us at firstname.lastname@example.org
Skin Match Technology Switzerland AG
General-Wille Strasse 18,
Effective Date: August 20th, 2021