default

Data processing by processors

FAQ

  • Can data processing be assigned to a third party abroad?

    Data processing may be assigned to a third party abroad. However, please note that both the requirements for data processing by processors and the requirements for transferring data abroad must be met.

  • How is the liability between me (as a controller) and my processor regulated?

    The controller must ensure that the requirements for data processing by processors are met before the data is assigned to the processor.

    The law provides that both the controller and the processor have the same obligations with regard to the processing of personal data, such as compliance with the general data protection principles.

    Civil liability for personal privacy infringements by processing personal data provides that anyone who participates in such an infringement (irrespective of their qualification as controller and processor) may be held responsible.

    There is no general rule that distributes liability between a controller and a processor. However, since this involves outsourcing data processing to a third party, the primary responsibility towards data subjects remains with the controller. It is also possible, for example, to place a contractual limitation on the liability of the processor.

  • Can I share personal data with third parties, in particular official authorities?

    Personal data may in principle be shared with third parties (official authorities and other persons). In doing so, the general data protection principles must always be complied with. If sensitive personal data is shared with third parties, this may be considered a breach of privacy pursuant to art. 30 revFADP, which is why a justification is required for such sharing (explicit consent, overriding private or public interest or legal basis (art. 31 revFADP)). However, the sharing of data with third parties must always be reviewed on a case-by-case basis before data is exchanged.

  • When is a data processing agreement required?

    Where a third party processes data on behalf of the controller, a contractual agreement is required (unless the processing by a processor is provided for by law, but this exception primarily applies to official authorities and not to private companies).

  • Can a company use a cloud provider to store company data?

    Yes, a company can use a cloud provider to store company data, provided the requirements for data processing by processors are met. If the data is completely encrypted and therefore cannot be read at all by the cloud provider, then this may not qualify as processing by the cloud provider and no data processing agreement would be required in this regard. However, if the cloud provider theoretically has access to the data (even if this access is not used), it is deemed to be a processor and a data processing agreement would be required. If the cloud provider is domiciled abroad, the requirements for cross-border data transfers must also be met.

    Depending on whether a company operates in a highly regulated area, such as banking, healthcare or insurance, additional requirements may need to be met.

  • During a transaction, such as the sale of a company, how is the role of the transferring entity (seller) defined in respect of the transitional services it offers to the buyer, until the buyer has integrated the purchased entity into its own IT infrastructure? In addition, what are the legal consequences of this qualification?

    In such a set of circumstances, the seller is usually considered a processor and the requirements for data processing by processors must be fulfilled if personal data is processed within the scope of the services. In particular, a data processing agreement must be concluded between the buyer and the seller for the corresponding services.

  • Are we permitted (e.g., as a sporting association domiciled in Switzerland) to store personal data in a CRM system operated by a third party (e.g., the corresponding World Association)? Who then owns the personal data? What should be taken into account?

    In Swiss law there is, generally, no ownership of personal data. Therefore, it is technically not correct to speak of data "belonging" to someone. It is often more important to assess to whom the personal data relates, because this person (the "data subject") can then exercise the rights to which he or she is entitled to and that relate to this data. This is then the person for whom one could commonly say that the data "belong" to him or her.

    However, the FADP defines the terms "controller" and "processor" (which are defined below). This distinction may be relevant in respect of liability.

    If the third party only operates the CRM system for the Sports Association, then the third party presumably qualifies as processor and the Sports Association as controller. Such outsourcing is permitted as long as the requirements for data processing by processors are met.

    If the third party has its registered office or its servers outside of Switzerland, the requirements for a data transfer abroad must also be met.

  • Can personal data from athletes be collected and forwarded to third parties for processing?

    The collection of data from athletes is qualified as processing personal data if the data can be attributed to a specific athlete, which means that the general data protection principles must be observed. Furthermore, the organisation collecting such data must comply with the other obligations provided for in the revFADP.

    Regarding disclosure to third parties – i.e., sharing personal data with third parties – please see the answer to the question above "can I share personal data with third parties, in particular official authorities?".

At a glance

The revFADP still permits the outsourcing of data processing or work related to the processing of personal data. However, certain requirements have to be met by the person who performs the so-called “outsourced data processing”. In addition, the person who outsources the data processing must ensure that the processor complies with these requirements.

Introduction

The outsourcing of data processing is widespread in practice. This is referred to in the revFADP as "data processing by processors". There are a number of rules to be observed in this regard.

In principle, in relation to processing by processors, Swiss law (art. 9 of the revFADP) provides similar obligations – albeit less detailed – to the controller as EU law (art. 28 GDPR), but Swiss law does not specify any minimum information regarding the content of data processing agreements that controllers and processors are required to enter into.

Who is the "controller" and the "processor"?

The "controller" is the entity or the person that decides on the processing of personal data by determining the purpose and means (such as analyses of feedback or correspondence from customers, cookies on websites, storage location of personal data) of the data processing.

The controller may outsource the processing of personal data to a "processor". A processor processes personal data on behalf of the controller and does not decide on the purpose and means of the data processing. The processor is not permitted to process the data for its own purposes. It is not always clear who the controller and the processor is within the meaning of the revFADP. This must always be assessed on a case-by-case basis. However, the following are a few examples to illustrate this.

  • Examples of processors

    Generally, the following qualify as processors:

    • The provider of a service that enables its customers (controller) to collect statistics on website usage.
    • The cloud provider operating a server on which the customers (controllers) may lease storage space. (unless all data is encrypted; then the cloud provider may not be processing personal data at all.)
    • The operator of a call centre operating a call centre and documenting its calls for and on behalf of a customer (controller).
    • The IT support provider who also has access to a large amount of personal data on the IT systems within the scope necessary (even if this personal data is not accessed, the possibility to access the data is sufficient).
    • The provider of payroll software or services which executes payments or sends salary slips on behalf of an employer.

In case the processing of data is delegated to persons within the company, the following applies: employees are not considered processors. However, a group company that, for example, makes salary payments for another company in the same group, can qualify as a processor.

What happens if several individuals can decide on the processing of personal data?

There is a specific article in EU law (GDPR art. 26) that introduces the term "Joint Controller(s)". This is only implicitly apparent from the definition of controller in Swiss law (art. 5 (j) of the revFADP: "alone or together with others"). Swiss law does not provide any specific rules for so-called "joint controllership". However, in EU law, persons jointly responsible must establish a written agreement on the allocation of tasks and obligations. Although this is not provided for in Swiss law, it nevertheless makes sense to sign such an agreement in order to provide greater clarity for the parties involved regarding their rights and obligations as well as responsibilities. Joint controllers may be two (or more) companies or two bodies that make joint decisions (on the purpose and means) to process personal data.

One example of joint controllers may be a travel agency which, together with a hotel chain and an airline, operates an internet platform to offer travel packages. The three companies agree which personal data is stored where and who can access it. However, there is no shared data processing outside the internet platform.

Another example for joint controllership may be two companies that have jointly developed a product and want to organise a marketing event for it. In order to do so, they share personal data of their clients with each other and jointly decide who they wish to invite and how to invite them for this event, how feedback on the event is collected, and what subsequent marketing actions are to be taken. For the purposes of this marketing operation, these two companies may be considered joint controllers of the personal data processed.

Under what conditions is data processing by processors permitted?

A contractual agreement between the controller and processor is required for data processing by processors (so-called data processing agreement). In contrast to the GDPR, the revFADP does not contain any specific requirements regarding the content of such agreements.

  • The agreement should, in particular, specify what data will be processed and ensure that the data processing is carried out correctly by the processor.
  • The agreement should include the following

    • Subject matter and duration of the processing
    • Nature and purpose of processing
    • Nature of personal data
    • Categories of data subjects
    • Obligations and rights of the controller
    • Obligations and rights of the processor
    • Controller's right to issue instructions
    • Obligation to delete or return the processed data when the contractual relationship is terminated
    • List of technical and organisational measures to be implemented by the processor
    • Rules on the involvement of subcontractors ("sub-processors")

The controller must ensure that the processor processes the data only for the purposes that the controller is allowed to itself; in particular, this means that the processor may not process the data for its own or third-party interests.

The controller must ensure that there is no confidentiality obligation it would violate by outsourcing the processing of data (e.g., outsourcing by a bank may require the consent of the bank's customers on the basis of banking secrecy). Where there is a duty of confidentiality, the consent of the persons concerned may have to be obtained before outsourcing.

The controller must ensure that the processor has implemented appropriate technical and organisational security measures to protect personal data. For details, please refer to the section on "data security".

Depending on whether a company operates in a highly regulated area, such as banking, healthcare or insurance, additional requirements may need to be met.

  • If a data processor wishes to instruct a subcontractor (so-called sub-processor) to process data of the controller, the same general requirements must be met. The subcontractor must in principle fulfil the same obligations as the processor vis-à-vis the controller.
  • If the processor wants to outsource the processing of data to a subcontractor, it first needs to obtain the consent of the controller.
  • If the controller provides a general consent, the processor must inform the controller of any changes to the sub-processors. As in European law, the controller has the right to object in such a case, i.e., if the controller does not agree with the outsourcing, a contractual solution for such cases must be agreed (this may include a mutual right of termination).

What happens if data is disclosed to a third party who does not qualify as a processor and processes the data for its own purposes?

In such cases, the third party qualifies as a separate controller. This means that once the data has been disclosed to the third party, the third party itself has responsibility to comply with the revFADP.

The company that intends to disclose personal data to the third party should then also verify whether the disclosure even complies with the general data protection principles. It should also clarify whether sensitive personal data is involved, because if sensitive personal data is disclosed to third parties, a justification is required (explicit consent, overriding private or public interest or legal basis).

The company that intends to disclose personal data to a third party must also inform the affected data subjects – data subjects must be informed by law as to who the recipients of their data are and which categories of their personal data are disclosed to third parties.

Can a company be fined if a processor is appointed without meeting the requirements?

Yes, upon request, a fine of up to CHF 250,000 can be issued for the wilful violation of these requirements (article 61(b) of the revFADP).

Upon notice or ex officio, the FDPIC may, further, initiate an investigation if there is any indication that a company has appointed a processor without meeting the requirements of art. 9 revFADP (art. 49 of the revFADP). Following an investigation, the FDPIC may issue an order to adjust, interrupt or terminate the processing of personal data or that the personal data itself be deleted in whole or in part (art. 51 of the revFADP). In this context, the FDPIC may also charge fees (art. 59 of the revFADP).

This illustrates how important it is for a company to comply with the applicable requirements and also to document its compliance properly.

Checkliste

What does a company have to check with regard to processing by a processor?

Is there a process in the company to conclude a data processing agreement with current and future data processors? If so, does this process include the points below?

Internal template for signing contracts

  • This should include the contract structure; for points that can be included here, please see above "under what conditions is data processing by processors permitted?"

Information sheet for filling in the template

  • Clarification prior to conclusion of the contract: is there a duty of confidentiality (e.g., through a contract) that influences or even prevents the processing of data by (other) processors?
  • What needs to be adapted to the specific case?
  • What can be changed?
  • What must not be changed?

Have we established a specific standard of technical and organisational measures that our data processors must implement?

Do we have training material for our employees so that they understand when a data processing agreement has to be concluded with a service provider?

Are we ourselves acting as data processors? In this case, do we enter into data processing agreements with our customers?

Does the company assign processors?

Are there companies that process personal data on our behalf?

Does the outsourcing of data processing comply with the general data protection principles?

Art. 9 Data processing by processors

1 The processing of personal data may be assigned to a processor by agreement or by legislation if:
a. the data is processed only in the manner permitted for the controller itself; and
b. it is not prohibited by a statutory or contractual duty of confidentiality.

2 The controller must in particular ensure that the processor guarantees data security.

3 The processor may assign the processing to a third party only with the prior authorisation of the controller.

4 It may invoke the same justifications as the controller.