Skin Match Technology Switzerland AG (hereinafter “we”, “us” or “SMT”) offers software solutions for commercial users operating in the beauty industry, such as department stores, online stores, pharmacies, beauty brands, hair salons, dermatologists, spas etc. (hereinafter “you”), whereby it acts as a data aggregator, data as a service provider, market research platform and a resource for customers (end users) to find suitable products and product information.
This Data Protection Addendum (“Addendum”) amends the SMT Terms of Service (the “Agreement”) by and between you and Skin Match Technology Switzerland AG, Mutschellenstrasse 197, 8038 Zurich, Switzerland (“SMT”).
The services offered by SMT under the Terms of Service available at https://getskinmatch.com/legal/terms include various services to help you sell goods and services to your customers (“Customer”). Any such services offered by SMT are referred to in the Data Protection Addendum as the “Services”. Any new features or tools which are added to the current Services shall be also subject to the Data Protection Addendum, if applicable.
This Data Protection Addendum determines SMT‘s and your responsibilities for compliance with the obligations under the GDPR with regard to Processing and Controlling Customer Data. They apply to all activities in which the Parties, their employees or their Processors are involved in the Processing or Controlling of Data.
“Customer” means any individual that uses our services on the Licensee Store or Website (end Customer) and optionally saves their profile, requests product recommendations via email, signs up to an SMT account “Account” to use the services or provides their name and email to you directly through our services (Custom Code Data Capturing).
“Services” means the SMT hosted tools available via www.getskimatch.com, skin-match.com and skinmatchapp.com and any associated websites, products or services offered by SMT.
"Applicable Data Protection Law" refers to all laws and regulations applicable to SMT’s processing of personal data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) ("GDPR").
“Controller", "Processor", "Data subject", "Personal data", and "Processing" (and "Process") have the meanings given in accordance with GDPR.
"Customer Data" has the meaning given in the Privacy Policy. Customer Data includes Usage Data, Profile Data, Account Data, Correspondence Data and Notification Data as defined in our Privacy Policy at https://getskinmatch.com/legal/privacy-policy.
"Customer Account Data" means personal data that relates to Customer’s direct relationship with SMT, including the names and email of individuals authorized by the Customer to access Customer’s account or profile data.
"Privacy Policy" means the current privacy policy for the Services available at https://getskinmatch.com/legal/privacy-policy.
"Security Incident" means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
1.1 SMT as a Controller of Customer Data
The parties acknowledge that, with regard to the processing of Customer Data, SMT is a controller and you are a processor in terms of collecting the data and allowing you to export the data and also an independent controller once you have implemented the data in your own environments, not a joint controller.
SMT will process personal data in order to provide the services in accordance with the Privacy Policy available at https://getskinmatch.com/legal/privacy-policy further specifies the duration of the processing, the nature and purpose of the processing, and the types of personal data and categories of data subjects. SMT will process customer data in accordance with Customer’s instructions. SMT will process customer data in accordance with applicable data protection law and consistent with the Privacy Policy, the Agreement, customer consent when using our services and this addendum. If customer consents to sharing their data with you, data shall be made availalbe in your account under User Export.
You are responsible for ensuring that (a) you have complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and processing of shared personal data and (b) you have, and will continue to have, the right to export the personal data from SMT for processing in accordance with the terms of the Agreement and this Addendum.
4 Lawfulness of Instructions
You will ensure that your processing of shared data will comply with Applicable Data Protection Law. You acknowledge that SMT is not responsible for determining which laws are applicable to your business nor whether SMT’s provision of the Services meets or will meet the requirements of such laws. SMT will inform you if it becomes aware or reasonably believes that your data processing violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
5 Additional Instructions
Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by you to SMT for carrying out those instructions.
6.1 Responding to Third Party Requests
In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory authority, or third party is made directly to SMT in connection with SMT’s controlling of Customer Data, SMT will promptly inform you and provide details of the same, to the extent legally permitted and necessary.
6.2 Confidentiality Obligations of SMT Personnel
SMT will ensure that any person it authorizes to process the Customer Data has agreed to protect personal data in accordance with SMT's confidentiality obligations under the Agreement.
7 SMT Services
As part of the SMT Services, SMT provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Data, which may be used by you to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the SMT Services at no additional cost. In addition, upon your request, SMT will provide reasonable additional and timely assistance (at your expense only if complying with the your request will require SMT to assign significant resources to that effort) to assist you in complying with data protection obligations with respect to data subject rights under Applicable Data Protection Law.
SMT will provide reasonable cooperation in connection with any data protection impact assessment or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
SMT will delete or return to Customer any Customer Data stored in the Services if requested by Customer.
10 Extension of Addendum
10.1 Upon termination of the Agreement, SMT may retain Customer Data in storage for the time periods set forth in the Privacy Policy available at https://getskinmatch.com/legal/privacy-policy, provided that SMT will ensure that Customer Data is processed only as necessary for the Permitted Purposes, and Customer Data remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law. 10.2 Retention Required by Law Notwithstanding anything to the contrary, SMT may retain Customer Data or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.11.1 Security Measures
SMT has implemented and will maintain the technical and organizational measures to protect personal data from a Security Incident.
11.2 Security Incident Notification
SMT will provide notification of a Security Incident in the following manner:
a. SMT will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after, SMT’s confirmation or reasonable suspicion of a Security Incident impacting Customer Data of which SMT is a processor;
b. SMT will, to the extent permitted and required by applicable law, notify you without undue delay of any Security Incident involving Customer Data of which SMT is a controller; and
c. SMT will make reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this Addendum by SMT, remediate the cause of such Security Incident. SMT will provide reasonable assistance to in the event that you are required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.
In the event that either party receives: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator or other third party, (collectively, "Correspondence") then, where such Correspondence relates to processing of Customer Account Data, Customer Profile Data or Customer Usage Data conducted by the other party, it will promptly inform such other party and the parties agree to cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Applicable Data Protection Law.
You acknowledge that SMT, as a controller, may be required by Applicable Data Protection Law to notify the regulatory authority of Security Incidents involving Customer Usage Data. If the regulatory authority requires SMT to notify impacted data subjects with whom SMT does not have a direct relationship (e.g., your end users), SMT will notify you of this requirement. You will provide reasonable assistance to SMT to notify the impacted data subjects.
Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
If there is any conflict between this Addendum and the Agreement and/or Privacy Policy, then the terms of this Addendum will control. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement’s termination provisions.
SMT may update the terms of this Addendum from time to time; provided, however, SMT will provide at least thirty (30) days prior written notice to you when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://getskinmatch.com/legal/dpa.
SMT will collect, process and/or share Personal Information with third Parties for the following purposes: a) as necessary to provide the Services under the Agreement, b) to display product recommendations to customers; c) to send product recommendations as requested by customer to the customer; d) to deliver advertising and marketing: e) tailor, optimize and analyze advertising, in mobile apps and across other advertising channels and platforms; f) to measure and analyze such advertising and marketing; g)to create “audience segments” based on inferences about consumer preferences, products and activities for purposes of online and mobile advertising and research; g) Assisting Clients by creating “identity” graphs, to help locate users across various channels, such as connecting identities based on common personal, device-based, or network-based identifiers (e.g., IP address, email address); h) Research and analysis i) Improving, testing, updating and verifying our own data and data services; j) Developing new product; k) our own marketing purposes; l) Operating, analyzing, improving, and securing our Services.
SMT will process Customer Usage Data as a controller in order to carry out the necessary functions as a (a) product recommendation service provider; (b) to provide, optimize, and maintain the Services and platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) sell IP adresses or emails to data brokers, advertising companies of research platfomrs as necessary for commercial purposes and/or (e) as required by applicable law.
SMT processes personal data contained Customer Data includes Usage Data, Profile Data, Account Data, Correspondence Data and Notification Data as defined in our Privacy Policy at https://getskinmatch.com/legal/privacy-policy.
The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the Canton of Zurich and the laws of Switzerland applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Canton of Zurich, Switzerland with respect to any dispute or claim arising out of or in connection with this Addendum.
If you implement custom HTML to circumvent data collection by SMT and SMT as a Controller, integrate additional tracking mechanisms, cookies, or other forms of personal data collection via custom code, thereby allowing customers to provide their personal data (including but not limited to name, date of birth, medical information, email, usage data, and account data) directly through our services ("Custom Code Data Capturing"), you shall assume full responsibility for the integration, legality, customer consent, and processing of such data. Furthermore, you agree to indemnify and hold SMT harmless from any and all liabilities, claims, and incidents arising out of or related to data protection issues associated with the aforementioned activities.
23.1 If any of the provisions of this Agreement should be invalid, then the validity of the other provisions shall not be affected thereby. The invalid provision shall be replaced by a valid provision that comes closest to fulfilling the purposes pursued by the parties.
23.2 Amendments and additions to this Agreement and any schedules shall be valid only in writing.
23.3 The contracting parties agree to demonstrably strive to reach an amicable settlement in the event of differences of opinion before referring the matter to a court. If such a settlement cannot be reached and if referral of the matter to a court is inevitable, then the contracting parties shall agree Zurich as the exclusive place of jurisdiction.
If you have any questions about these Addendum or the use of our Services, please contact us at office@skin-match.com
Skin Match Technology Switzerland AG
Mutschellenstrasse 197,
8038 Zürich
Effective Date: July 12th, 2024