Data processing by processors

The revFADP still permits the outsourcing of data processing or work related to the processing of personal data. However, certain requirements have to be met by the person who performs the so-called “outsourced data processing”. In addition, the person who outsources the data processing must ensure that the processor complies with these requirements.

The outsourcing of data processing is widespread in practice. This is referred to in the revFADP as "data processing by processors". There are a number of rules to be observed in this regard.

In principle, in relation to processing by processors, Swiss law (art. 9 of the revFADP) provides similar obligations – albeit less detailed – to the controller as EU law (art. 28 GDPR), but Swiss law does not specify any minimum information regarding the content of data processing agreements that controllers and processors are required to enter into.

The "controller" is the entity or the person that decides on the processing of personal data by determining the purpose and means (such as analyses of feedback or correspondence from customers, cookies on websites, storage location of personal data) of the data processing.

The controller may outsource the processing of personal data to a "processor". A processor processes personal data on behalf of the controller and does not decide on the purpose and means of the data processing. The processor is not permitted to process the data for its own purposes. It is not always clear who the controller and the processor is within the meaning of the revFADP. This must always be assessed on a case-by-case basis. However, the following are a few examples to illustrate this.

In case the processing of data is delegated to persons within the company, the following applies: employees are not considered processors. However, a group company that, for example, makes salary payments for another company in the same group, can qualify as a processor.

There is a specific article in EU law (GDPR art. 26) that introduces the term "Joint Controller(s)". This is only implicitly apparent from the definition of controller in Swiss law (art. 5 (j) of the revFADP: "alone or together with others"). Swiss law does not provide any specific rules for so-called "joint controllership". However, in EU law, persons jointly responsible must establish a written agreement on the allocation of tasks and obligations. Although this is not provided for in Swiss law, it nevertheless makes sense to sign such an agreement in order to provide greater clarity for the parties involved regarding their rights and obligations as well as responsibilities. Joint controllers may be two (or more) companies or two bodies that make joint decisions (on the purpose and means) to process personal data.

One example of joint controllers may be a travel agency which, together with a hotel chain and an airline, operates an internet platform to offer travel packages. The three companies agree which personal data is stored where and who can access it. However, there is no shared data processing outside the internet platform.

Another example for joint controllership may be two companies that have jointly developed a product and want to organise a marketing event for it. In order to do so, they share personal data of their clients with each other and jointly decide who they wish to invite and how to invite them for this event, how feedback on the event is collected, and what subsequent marketing actions are to be taken. For the purposes of this marketing operation, these two companies may be considered joint controllers of the personal data processed.

A contractual agreement between the controller and processor is required for data processing by processors (so-called data processing agreement). In contrast to the GDPR, the revFADP does not contain any specific requirements regarding the content of such agreements.

• The agreement should, in particular, specify what data will be processed and ensure that the data processing is carried out correctly by the processor.

The controller must ensure that the processor processes the data only for the purposes that the controller is allowed to itself; in particular, this means that the processor may not process the data for its own or third-party interests.

The controller must ensure that there is no confidentiality obligation it would violate by outsourcing the processing of data (e.g., outsourcing by a bank may require the consent of the bank's customers on the basis of banking secrecy). Where there is a duty of confidentiality, the consent of the persons concerned may have to be obtained before outsourcing.

The controller must ensure that the processor has implemented appropriate technical and organisational security measures to protect personal data. For details, please refer to the section on "data security".

Depending on whether a company operates in a highly regulated area, such as banking, healthcare or insurance, additional requirements may need to be met.

• If a data processor wishes to instruct a subcontractor (so-called sub-processor) to process data of the controller, the same general requirements must be met. The subcontractor must in principle fulfil the same obligations as the processor vis-à-vis the controller.
• If the processor wants to outsource the processing of data to a subcontractor, it first needs to obtain the consent of the controller.
• If the controller provides a general consent, the processor must inform the controller of any changes to the sub-processors. As in European law, the controller has the right to object in such a case, i.e., if the controller does not agree with the outsourcing, a contractual solution for such cases must be agreed (this may include a mutual right of termination).

In such cases, the third party qualifies as a separate controller. This means that once the data has been disclosed to the third party, the third party itself has responsibility to comply with the revFADP.

The company that intends to disclose personal data to the third party should then also verify whether the disclosure even complies with the general data protection principles. It should also clarify whether sensitive personal data is involved, because if sensitive personal data is disclosed to third parties, a justification is required (explicit consent, overriding private or public interest or legal basis).

The company that intends to disclose personal data to a third party must also inform the affected data subjects – data subjects must be informed by law as to who the recipients of their data are and which categories of their personal data are disclosed to third parties.

Yes, upon request, a fine of up to CHF 250,000 can be issued for the wilful violation of these requirements (article 61(b) of the revFADP).

Upon notice or ex officio, the FDPIC may, further, initiate an investigation if there is any indication that a company has appointed a processor without meeting the requirements of art. 9 revFADP (art. 49 of the revFADP). Following an investigation, the FDPIC may issue an order to adjust, interrupt or terminate the processing of personal data or that the personal data itself be deleted in whole or in part (art. 51 of the revFADP). In this context, the FDPIC may also charge fees (art. 59 of the revFADP).

This illustrates how important it is for a company to comply with the applicable requirements and also to document its compliance properly.

What does a company have to check with regard to processing by a processor?