Confidentiality & Data Protection Agreement for Data Processing with multisource

February 2026

1 Parties

  • 1.1 This Agreement is entered into between the following parties:
    Swisscom Directories AG
    Förrlibuckstrasse 62
    8005 Zurich
    (hereinafter "    directoriesDATA")
    The User
    (hereinafter "    Partner")
  • 1.2 directoriesDATA and Partner are each a "Party" and together the "Parties" to this Confidentiality Agreement.


2 Purpose

  • 2.1 The Parties are conducting discussions regarding a possible collaboration in the area of data quality evaluation through a trial exchange of address data including associated attribute data. To this end, the Partner provides data which directoriesDATA processes and reviews and improves in terms of quality, and/or directoriesDATA provides the Partner with data for evaluation purposes. The objective is to evaluate the performance and concrete benefit with a view to a possible future collaboration ("Purpose").
  • 2.2 In connection with this Purpose, the Parties will exchange certain non-public or confidential information and enter into the following confidentiality agreement to protect such information.


3 Confidentiality Agreement

  • 3.1 Non-public or confidential information (hereinafter "Information") within the meaning of this Confidentiality Agreement includes all information and knowledge of the Parties and third parties (e.g. customers, partners, suppliers, other group companies of the Parties) made accessible in oral, written, or electronic form, including physical and electronic documents, notes, data, computer files, source code, and documentation that was not already demonstrably known to the public at the relevant time or that has been designated as confidential by a Party, in particular (but not exclusively) financial figures, budgets, business plans, strategies, trade secrets, technical processes, and business relationships (e.g. partners, suppliers, customers, joint ventures). Also included is the fact that the Parties are conducting discussions regarding the Purpose.
  • 3.2 The Parties undertake to treat the Information as confidential, to use it exclusively for the Purpose mentioned above, and to take appropriate measures for its protection.
  • 3.3 The Parties may only disclose the Information to those employees and advisors (e.g. lawyers and tax advisors) who require the Information to fulfil their duties within the scope of the Purpose and who have committed themselves to confidentiality in writing (e.g. in their employment or mandate agreement).
  • 3.4 The confidentiality obligation does not apply to Information of a Party that (i) is or becomes generally available to the public, provided this does not occur through a breach of this Confidentiality Agreement by the other Party; or (ii) was already known to the other Party at the time of receipt without any confidentiality obligation; or (iii) has been released for disclosure by written authorisation of the disclosing Party; or (iv) has been independently developed by the other Party and is not derived from the Information.
  • 3.5 In the event that a Party is required to disclose Information pursuant to statutory provisions or by order of a competent authority or court, the Party obliged to disclose shall notify the other Party in writing without undue delay (and, where possible, before complying with the disclosure request) of such requirement and of the measures it intends to take to comply with it, unless prohibited from doing so by the statutory provisions or the authority or court. In such a case, the Party obliged to disclose shall only disclose Information to the extent necessary.
  • 3.6 All rights, in particular intellectual property rights in connection with the Information, remain with the disclosing Party. Rights of use in respect of the Information are granted to the recipient only to the extent and for as long as the Purpose requires.
  • 3.7 The Information is provided on an "as is" basis. Neither Party makes any representations or warranties regarding the accuracy, reliability, or completeness of the Information.
  • 3.8 Neither Party may assert claims against the other Party arising from or in connection with the unilateral termination of discussions regarding the Purpose by the other Party.
  • 3.9 The Parties undertake to either return or destroy all Information provided by the other Party (including physical and electronic copies) upon first request and at the other Party's discretion, and to confirm such destruction in writing. Electronic copies retained as part of proper IT backups are excluded.
  • 3.10 Each Party undertakes to pay the other Party a contractual penalty in the amount of CHF 50,000.00 for each breach of this Confidentiality Agreement, unless it can prove that it bears no fault. Payment of a contractual penalty does not release the paying Party from compliance with its obligations under this Confidentiality Agreement. The contractual penalty shall be credited against any higher damages that may be awarded.
  • 3.11 The confidentiality obligation expires 2 years after the date of signature of this Confidentiality Agreement.
  • 3.12 Additions and amendments to this Confidentiality Agreement are only binding if agreed in writing and signed by both Parties.
  • 3.13 Any assignment of rights or obligations under this Confidentiality Agreement requires the written consent of the other Party.
  • 3.14 In the event that any provision is found to be invalid, such provision shall be replaced by a rule that most closely reflects the economic intent of the original provision. The validity and enforceability of the remaining provisions shall not be affected thereby.
  • 3.15 This Confidentiality Agreement is governed by Swiss law. The ordinary courts at the registered office of directoriesDATA shall have exclusive jurisdiction over all disputes between the Parties arising from or in connection with this Confidentiality Agreement.


4 Data Protection

  • 4.1 The data protection policy of directoriesDATA in its current version, available at www.multisource.ch, shall apply.
  • 4.2 directoriesDATA processes personal data exclusively in Switzerland.
  • 4.3 To the extent that the Partner provides directoriesDATA with personal data which directoriesDATA processes as a data processor, the Partner remains the sole controller within the meaning of data protection law. In particular, the Partner is responsible for compliance with the information obligations towards data subjects pursuant to Art. 19 FADP. In addition, the following applies in the area of commissioned data processing:
  • 4.3.1 directoriesDATA processes the personal data provided to it by the Partner for processing and stores it on its systems on behalf of the Partner.
  • 4.3.2 directoriesDATA processes the personal data exclusively for the purposes set out in Section 2, subject to mandatory statutory provisions.
  • 4.3.3 directoriesDATA ensures that all persons authorised to process personal data are bound by a duty of confidentiality, unless they are already subject to an appropriate statutory obligation of confidentiality.
  • 4.3.4 directoriesDATA implements appropriate technical and organisational measures to protect personal data that meet the requirements of the FADP and, where applicable, Article 32 of the GDPR.
  • 4.3.5 directoriesDATA supports the Partner, to the extent reasonably possible, through appropriate technical and organisational measures in fulfilling the duty to inform data subjects in accordance with applicable data protection law, and responds to Partner enquiries concerning the rights of data subjects.
  • 4.3.6 directoriesDATA shall inform the Partner without undue delay if it considers that the Partner may be in breach of applicable data protection law in connection with the processing of personal data.
  • 4.3.7 directoriesDATA supports the Partner with respect to its obligations under applicable data protection law, for example, where applicable, Articles 32 to 36 of the GDPR or corresponding provisions of the FADP. directoriesDATA shall inform the Partner without undue delay of any personal data breach within the area of responsibility of directoriesDATA.
  • 4.3.8 directoriesDATA shall provide the Partner with all information reasonably required for the Partner to adequately document directoriesDATA's compliance with the provisions of this Section 4.3. Where strictly required under applicable data protection law and the information provided by directoriesDATA alone is insufficient, directoriesDATA shall permit the Partner, to the extent strictly required by law, to conduct inspections carried out by the Partner or an auditor appointed by the Partner, accepted by directoriesDATA, and bound to confidentiality, at the Partner's expense. Such inspections must not impede the ordinary course of operations at directoriesDATA and any affected sub-processors. They shall be conducted by prior arrangement during normal business hours and must not compromise the protection of trade secrets and personal data of other customers of directoriesDATA.
  • 4.3.9 directoriesDATA may outsource the processing of personal data to third parties ("sub-processors"), in particular for the purposes of operating, developing, and maintaining the IT infrastructure used to provide the services, as well as for address data matching/sourcing. The Partner hereby consents to such outsourcing. The following sub-processors are engaged by directoriesDATA:
    KünzlerBachmann Directmarketing AG, Zürcherstrasse 601, 9015 St. Gallen
    Post CH AG, Wankdorfallee 4, 3030 Bern
    directoriesDATA shall require sub-processors to comply with data protection obligations equivalent to those applicable to directoriesDATA under this Section 3.15.
  • 4.3.10 directoriesDATA shall notify the Partner in writing at least 30 days before engaging new sub-processors. The Partner may raise a reasoned objection within 14 days of receipt of such notification. In the event of a justified objection, directoriesDATA shall either refrain from engaging the new sub-processor or grant the Partner an extraordinary right of termination.
  • 4.3.11 directoriesDATA is entitled to invoice the Partner for costs and expenses incurred in connection with the provision of services pursuant to Section 4.3.5, provided that directoriesDATA has notified the Partner of the anticipated costs in writing at least 10 business days prior to the provision of such services.
  • 4.3.12 Upon request by the Partner, but no later than upon completion of the work pursuant to Section 2, directoriesDATA shall delete the data processed by it as data processor, unless directoriesDATA is required by law to retain such data.