General Terms and Conditions of the Processing of Personal Data by Doodle on behalf of the User
By using certain Doodle products, you acknowledge that this possibly involves the transmission of personal data to Doodle. To the extent that Doodle processes such data as your data processor, these General Terms and Conditions of the Processing of Personal Data apply in addition to the applicable general Terms of Service. In the event of a conflict with the Terms of Service, these Terms and Conditions of the Processing of Personal Data shall prevail.
Doodle and you agree on the following:
- Doodle will employ appropriate technical and organizational measures to protect personal data;
- Doodle will support you with appropriate technical and organizational measures (taking into account the type of processing) to fulfill your obligation to respond to requests to exercise the data protection rights of the data subject;
- Doodle will delete the personal data upon termination of the contractual relationship with you as soon as possible and at the latest within a maximum period of 180 days, unless Swiss law, EU law, or the law of the respective EU member state requires a longer storage of the data; in this context, Doodle may keep the personal data longer if this is necessary for the provision of other services used by you;
- Doodle shall provide you with all information necessary to prove Doodle’s compliance with its obligations as a processor.
- Upon Doodle’s discovery of any actual or suspected violation of the protection of your personal data, Doodle will notify you immediately. Such notification will include at least the following information: Details about the nature of the violation, the number of datasets involved, the category and approximate number of data subjects, the likely consequences of the violation, and any measures already taken or immediately planned to mitigate the possible adverse effects of the violation, taking into account all circumstances. The notification may also be provided in stages, taking into account the information available.
- By entering into EU Model Clauses with the contracted service providers, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_de
- by ensuring that the commissioned service providers are Swiss-US or EU-US Privacy Shield certified (if the data recipient is located in the USA or stores its data there), see https://www.privacyshield.gov/
- through the presence of Binding Corporate Rules (BCR), recognised by a European data protection authority, at the service providers commissioned, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en