Home
PriceTalk to Expert
Logo
Talk to Expert

Data Processing Agreement (DPA)

Legal

Last updated / May 27 / 2026

1. Scope and Priority

This Data Processing Agreement ("DPA") is an integral part of the contractual relationship between the Customer and W&W Global Marketing Group GmbH ("W&W") under the applicable Terms of Use, Service Agreements and/or Order Forms (collectively the "Agreement"). It sets forth the conditions under which W&W and the Customer handle personal data in connection with the Services.

This DPA has two parts. Part A (Sections 2–3) sets out the processor terms that apply to personal data the Customer uploads, imports, or inputs into the Services. Part B (Section 4) sets out the controller-to-controller terms that apply when W&W reveals or discloses a candidate from its own talent database to the Customer.

The DPA may be updated by W&W from time to time. Material changes will be communicated to the Customer through appropriate channels (e.g. email or in-app notifications) or published on the website. In case of conflict between DPA and main Agreement, the provisions of this DPA shall take precedence regarding the processing of personal data.

The DPA remains in effect as long as W&W processes personal Customer data under the Agreement. Capitalized terms not defined in this DPA have the meaning given to them in the Agreement or applicable data protection law.

2. Definitions

"Customer Data / Customer Personal Data": Personal data that the Customer uploads, imports, or otherwise provides to or inputs into the Services, and that W&W processes on the Customer's behalf and on its documented instructions. It does not include personal data in W&W's own talent database, which W&W collects from publicly available sources and controls independently (as described in the Privacy Policy).

"Processing": Any operation or set of operations performed on personal data, e.g. collection, storage, access, use or deletion.

"FADP": the revised Federal Act on Data Protection of 25 September 2020 (SR 235.1), in force since 1 September 2023, together with its implementing Data Protection Ordinance (O-FADP, SR 235.11).

"Data Subject": Any natural person whose personal data is processed.

"Controller": The party that, alone or jointly with others, determines the purposes and means of the processing.

"Sub-processor": Any third party engaged by W&W for processing personal data.

"Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (Art. 4(12) GDPR).

"Special categories of personal data" (sensitive personal data): Personal data listed in Art. 9(1) GDPR and Art. 5(c) FADP — namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data, biometric data processed to uniquely identify a person, data concerning health, and data concerning a person's sex life or sexual orientation.

3. Processing of Personal Customer Data

3.1 Roles and Responsibilities

This DPA governs personal data that the Customer uploads, imports, or inputs into the Services ("Customer Personal Data"). With respect to that data, the Customer acts as Controller under the FADP and, where applicable, the GDPR, and W&W acts as Processor on the Customer's documented instructions. The Customer is responsible for the lawfulness of the data it provides and for determining the purpose and legal basis of the processing.

W&W's own talent database, which W&W builds from publicly available professional sources, is not processed on the Customer's behalf: W&W is the independent controller of that data, as described in its Privacy Policy. When a candidate from the talent database is revealed or otherwise disclosed to the Customer, the Customer becomes an independent controller of the data it receives; that controller-to-controller relationship is governed by Part B (Section 4) of this DPA.

The Services include profiling within the meaning of Art. 4(4) GDPR and Art. 5(f) FADP (such as relevance scores and other AI-based assessments). The outputs of such profiling are advisory inputs to the Customer's human decision-makers; as Controller, the Customer undertakes not to use the Services to take decisions producing legal or similarly significant effects on a natural person solely on the basis of automated processing within the meaning of Art. 22(1) GDPR or Art. 21(1) FADP, and to provide the safeguards those provisions require. This mirrors Section 4 of the Terms.

3.2 Instructions and Processing Scope

W&W processes personal Customer data exclusively according to documented instructions from the Customer (DPA + Service Agreement). Additional instructions must be agreed in writing and may require adjustments to scope, schedule or price.

Documented instructions include any instruction regarding the transfer of Customer Personal Data to a third country, unless W&W is required to transfer by applicable law (in which case W&W will inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest). W&W will immediately inform the Customer if, in its opinion, an instruction infringes the FADP, the GDPR or other applicable data protection law.

3.3 Permissible Processing

Data is processed exclusively for the provision of contractually agreed Services. Processing beyond this purpose (including disclosure to third parties) occurs only if legally required or contractually expressly permitted.

Note: W&W does not process or infer sensitive (special-category) data (for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic or biometric data; health data; or data concerning sex life or sexual orientation, as defined in Art. 9 GDPR and Art. 5(c) FADP), and does not derive conclusions about such characteristics; any such conclusions are solely the Customer's responsibility.

3.4 Support for Data Subject Rights

W&W supports the Customer with Data Subject requests (access, rectification, deletion). The Customer remains responsible for processing; support by W&W is provided upon written request. Costs for complex or frequent requests may be charged separately.

Taking into account the nature of the processing and the information available to it, W&W also assists the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR and Articles 8, 22, 23 and 24 FADP — including data security, the handling of personal data breaches, data protection impact assessments, and prior consultation with the competent supervisory authority.

3.5 Sub-processors

The Customer authorises W&W to engage sub-processors to process Customer Personal Data. W&W currently engages:

  • Google Cloud — cloud infrastructure and data storage, hosted in Switzerland;
  • Google Cloud Vertex AI (Gemini) — large language model services used to generate scores and assessments, running in a Swiss region; only de-identified professional data is sent, and the data is not used to train any model;
  • Lemlist SAS (France) — contact-data enrichment, performed at the point a candidate is revealed to the Customer;
  • PostHog — website and product analytics, on PostHog Cloud EU (Frankfurt, Germany).

Each sub-processor is bound by a written contract imposing substantially the same data protection obligations as set out in this DPA. W&W maintains a current list of sub-processors, including entity names and locations, in its public Sub-processor List, and will give the Customer advance notice of any addition or replacement. Within thirty (30) days of that notice, the Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection in good faith, the Customer may terminate the affected Services without penalty. W&W remains responsible for its sub-processors' compliance.

3.6 Technical and Organizational Measures (TOMs)

W&W implements appropriate measures to protect Customer data: encryption, access restriction, system monitoring, backup and audit logs. W&W ensures that persons authorised to process Customer Personal Data are bound by a contractual or statutory duty of confidentiality and receive appropriate data-protection training.

3.7 Cross-Border Data Transfers

Customer Personal Data is hosted and stored in Switzerland on Google Cloud infrastructure. The AI processing that generates scores and assessments runs on Google Cloud Vertex AI in a Swiss region, receives only de-identified professional data, and is not used to train any model.

W&W's sub-processors process Customer Personal Data only in Switzerland or the EU/EEA (see §3.5). The EU and EEA member states are recognised as providing adequate data protection in Annex 1 of the Data Protection Ordinance (O-FADP), so disclosures from Switzerland to these sub-processors are permitted under Article 16(1) FADP without additional safeguards. W&W complies with Articles 16 and 17 FADP and does not transfer Customer Personal Data to the United States.

3.8 Deletion or Return after Contract End

Upon termination of the Services, or otherwise on the Customer's written request, W&W will, at the Customer's choice, return or securely delete all Customer Personal Data, including existing copies, within thirty (30) days, unless Union, Member State or Swiss law requires further storage (in which case W&W will isolate and protect the retained data and delete it once the retention obligation expires). If the Customer does not communicate its choice within thirty (30) days of termination, W&W will securely delete the Customer Personal Data. W&W will provide written confirmation of return or deletion upon request.

3.9 Data Breach

W&W maintains internal procedures for detecting and responding to personal data breaches. W&W will notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it, and in any event in sufficient time to enable the Customer to meet its 72-hour notification obligation under Art. 33 GDPR (or the corresponding obligation under Art. 24 FADP, where applicable). The notification will include, to the extent known: (a) the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address and mitigate it; and (d) a contact point for further information. Where the information is not all available at once, it may be provided in phases without undue further delay.

3.10 Legally Required Disclosures

W&W will inform the Customer immediately of any official or judicial orders unless legally prohibited. Support in responding to such requests will be provided.

3.11 Service Analytics

W&W may analyze aggregated, non-identifiable data regarding Service performance and usage. Customer data will not be identifiable.

3.12 Accountability

W&W maintains records of processing activities pursuant to Art. 12 FADP. W&W shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR / Art. 9 FADP, and shall allow for and contribute to audits — including on-site inspections on reasonable prior notice (no more than once per 12 months, absent a specific cause) — conducted by the Customer or an independent auditor mandated by the Customer and bound by confidentiality. W&W may satisfy this obligation in the first instance by providing current third-party certifications or audit reports (for example, ISO 27001 or SOC 2) covering the relevant scope.

4. Controller-to-Controller Terms — Revealed Candidates (Part B)

This Part B applies when a candidate from W&W's own talent database is revealed or otherwise disclosed to the Customer through the Services. It does not concern data the Customer uploads or imports, which is governed by Part A above.

4.1 Independent Controllers

W&W is the independent controller of the talent database, which it builds and maintains from publicly available professional sources. When the Customer reveals a candidate, the Customer receives the candidate's identified profile together with contact details obtained through contact enrichment, and from that point the Customer is an independent controller of the data it has received. Each party determines the purposes and means of its own processing; this is not a processor relationship, and neither party processes that data on the other's instructions.

4.2 Each Party's Responsibilities

Each party is responsible for complying with applicable data protection law (the FADP and, where applicable, the GDPR) in respect of its own processing. The Customer processes the revealed data for its own recruitment purposes, on its own legal basis, applies appropriate technical and organizational security measures, and does not disclose the data onward except to recipients bound by equivalent data protection obligations. In particular, as an independent controller the Customer assumes its own information and transparency obligations to the revealed candidates under Art. 13, 14 and 21 GDPR and Art. 19 FADP, including the candidate-facing transparency duty and the handling of any objection/opt-out requests for its own processing of that data.

4.3 Data Subject Rights

W&W handles data subject requests relating to personal data held on its own systems, including the talent database. The Customer handles data subject requests relating to data it has received and further processes. Each party will inform the other without undue delay of any request, complaint, or authority enquiry that concerns the other party's processing, and will provide reasonable assistance.

4.4 Cross-Border Transfers

Where revealed data is transferred outside Switzerland or the EU/EEA, the parties rely on an adequacy decision or on the European Commission's Standard Contractual Clauses for controller-to-controller transfers (Decision 2021/914, Module One). For transfers subject to the FADP, those clauses apply with the amendments recognised by the FDPIC: references to the GDPR are read as references to the FADP; the competent supervisory authority is the FDPIC; the clauses are governed by Swiss law; and data subjects may bring proceedings before the courts of the Canton of Zug.

Annex 1 – Processing Details

Data Exporter (Controller): the Customer.

Data Importer (Processor): W&W Global Marketing Group GmbH, Landis + Gyr-Strasse 1, 6300 Zug, Switzerland (UID CHE-165.987.703).

  • Data Subjects: the individuals whose personal data the Customer uploads, imports, or inputs into the Services (for example, the Customer's own candidates or contacts).
  • Data Categories: the personal data contained in the records the Customer provides — typically name, professional profile, experience, education, skills, and contact details.
  • Purpose: processing the Customer-provided data to deliver the recruitment and talent-matching Services on the Customer's instructions — in particular, the identification of candidates and initial contact.
  • Duration: for as long as the Customer uses the Services, subject to the return/deletion terms in §3.8.
  • Sub-processors: as listed in §3.5 and the public Sub-processor List, each bound by substantially the same data protection obligations.
  • Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC).

Annex 2 – Technical and Organizational Measures

  • Hosting on Google Cloud infrastructure in Switzerland (Swiss region), with physical and environmental security managed by the infrastructure provider
  • Encryption at rest (AES-256) and in transit (TLS)
  • Access rights on need-to-know basis, MFA for administrators
  • Regular security scans, penetration tests, patch management
  • Daily backups, disaster recovery and contingency plans
  • Deletion or secure destruction after contract end
  • System monitoring, backup and audit logs

Contact

Jurisdiction: Zug, Switzerland.