default

Data processing by processors

FAQ

    At a glance

    The revFADP still permits the outsourcing of data processing or work related to the processing of personal data. However, certain requirements have to be met by the person who performs the so-called “outsourced data processing”. In addition, the person who outsources the data processing must ensure that the processor complies with these requirements.

    Introduction

    The outsourcing of data processing is widespread in practice. This is referred to in the revFADP as "data processing by processors". There are a number of rules to be observed in this regard.

    In principle, in relation to processing by processors, Swiss law (art. 9 of the revFADP) provides similar obligations – albeit less detailed – to the controller as EU law (art. 28 GDPR), but Swiss law does not specify any minimum information regarding the content of data processing agreements that controllers and processors are required to enter into.

    Who is the "controller" and the "processor"?

    The "controller" is the entity or the person that decides on the processing of personal data by determining the purpose and means (such as analyses of feedback or correspondence from customers, cookies on websites, storage location of personal data) of the data processing.

    The controller may outsource the processing of personal data to a "processor". A processor processes personal data on behalf of the controller and does not decide on the purpose and means of the data processing. The processor is not permitted to process the data for its own purposes. It is not always clear who the controller and the processor is within the meaning of the revFADP. This must always be assessed on a case-by-case basis. However, the following are a few examples to illustrate this.

    • Examples of processors

      Generally, the following qualify as processors:

      • The provider of a service that enables its customers (controller) to collect statistics on website usage.
      • The cloud provider operating a server on which the customers (controllers) may lease storage space. (unless all data is encrypted; then the cloud provider may not be processing personal data at all.)
      • The operator of a call centre operating a call centre and documenting its calls for and on behalf of a customer (controller).
      • The IT support provider who also has access to a large amount of personal data on the IT systems within the scope necessary (even if this personal data is not accessed, the possibility to access the data is sufficient).
      • The provider of payroll software or services which executes payments or sends salary slips on behalf of an employer.

    In case the processing of data is delegated to persons within the company, the following applies: employees are not considered processors. However, a group company that, for example, makes salary payments for another company in the same group, can qualify as a processor.

    What happens if several individuals can decide on the processing of personal data?

    There is a specific article in EU law (GDPR art. 26) that introduces the term "Joint Controller(s)". This is only implicitly apparent from the definition of controller in Swiss law (art. 5 (j) of the revFADP: "alone or together with others"). Swiss law does not provide any specific rules for so-called "joint controllership". However, in EU law, persons jointly responsible must establish a written agreement on the allocation of tasks and obligations. Although this is not provided for in Swiss law, it nevertheless makes sense to sign such an agreement in order to provide greater clarity for the parties involved regarding their rights and obligations as well as responsibilities. Joint controllers may be two (or more) companies or two bodies that make joint decisions (on the purpose and means) to process personal data.

    One example of joint controllers may be a travel agency which, together with a hotel chain and an airline, operates an internet platform to offer travel packages. The three companies agree which personal data is stored where and who can access it. However, there is no shared data processing outside the internet platform.

    Another example for joint controllership may be two companies that have jointly developed a product and want to organise a marketing event for it. In order to do so, they share personal data of their clients with each other and jointly decide who they wish to invite and how to invite them for this event, how feedback on the event is collected, and what subsequent marketing actions are to be taken. For the purposes of this marketing operation, these two companies may be considered joint controllers of the personal data processed.

    Under what conditions is data processing by processors permitted?

    A contractual agreement between the controller and processor is required for data processing by processors (so-called data processing agreement). In contrast to the GDPR, the revFADP does not contain any specific requirements regarding the content of such agreements.

    • The agreement should, in particular, specify what data will be processed and ensure that the data processing is carried out correctly by the processor.
    • The agreement should include the following

      • Subject matter and duration of the processing
      • Nature and purpose of processing
      • Nature of personal data
      • Categories of data subjects
      • Obligations and rights of the controller
      • Obligations and rights of the processor
      • Controller's right to issue instructions
      • Obligation to delete or return the processed data when the contractual relationship is terminated
      • List of technical and organisational measures to be implemented by the processor
      • Rules on the involvement of subcontractors ("sub-processors")

    The controller must ensure that the processor processes the data only for the purposes that the controller is allowed to itself; in particular, this means that the processor may not process the data for its own or third-party interests.

    The controller must ensure that there is no confidentiality obligation it would violate by outsourcing the processing of data (e.g., outsourcing by a bank may require the consent of the bank's customers on the basis of banking secrecy). Where there is a duty of confidentiality, the consent of the persons concerned may have to be obtained before outsourcing.

    The controller must ensure that the processor has implemented appropriate technical and organisational security measures to protect personal data. For details, please refer to the section on "data security".

    Depending on whether a company operates in a highly regulated area, such as banking, healthcare or insurance, additional requirements may need to be met.

    • If a data processor wishes to instruct a subcontractor (so-called sub-processor) to process data of the controller, the same general requirements must be met. The subcontractor must in principle fulfil the same obligations as the processor vis-à-vis the controller.
    • If the processor wants to outsource the processing of data to a subcontractor, it first needs to obtain the consent of the controller.
    • If the controller provides a general consent, the processor must inform the controller of any changes to the sub-processors. As in European law, the controller has the right to object in such a case, i.e., if the controller does not agree with the outsourcing, a contractual solution for such cases must be agreed (this may include a mutual right of termination).

    What happens if data is disclosed to a third party who does not qualify as a processor and processes the data for its own purposes?

    In such cases, the third party qualifies as a separate controller. This means that once the data has been disclosed to the third party, the third party itself has responsibility to comply with the revFADP.

    The company that intends to disclose personal data to the third party should then also verify whether the disclosure even complies with the general data protection principles. It should also clarify whether sensitive personal data is involved, because if sensitive personal data is disclosed to third parties, a justification is required (explicit consent, overriding private or public interest or legal basis).

    The company that intends to disclose personal data to a third party must also inform the affected data subjects – data subjects must be informed by law as to who the recipients of their data are and which categories of their personal data are disclosed to third parties.

    Can a company be fined if a processor is appointed without meeting the requirements?

    Yes, upon request, a fine of up to CHF 250,000 can be issued for the wilful violation of these requirements (article 61(b) of the revFADP).

    Upon notice or ex officio, the FDPIC may, further, initiate an investigation if there is any indication that a company has appointed a processor without meeting the requirements of art. 9 revFADP (art. 49 of the revFADP). Following an investigation, the FDPIC may issue an order to adjust, interrupt or terminate the processing of personal data or that the personal data itself be deleted in whole or in part (art. 51 of the revFADP). In this context, the FDPIC may also charge fees (art. 59 of the revFADP).

    This illustrates how important it is for a company to comply with the applicable requirements and also to document its compliance properly.

    Checkliste

    What does a company have to check with regard to processing by a processor?

    Is there a process in the company to conclude a data processing agreement with current and future data processors? If so, does this process include the points below?

    Internal template for signing contracts

    • This should include the contract structure; for points that can be included here, please see above "under what conditions is data processing by processors permitted?"

    Information sheet for filling in the template

    • Clarification prior to conclusion of the contract: is there a duty of confidentiality (e.g., through a contract) that influences or even prevents the processing of data by (other) processors?
    • What needs to be adapted to the specific case?
    • What can be changed?
    • What must not be changed?

    Have we established a specific standard of technical and organisational measures that our data processors must implement?

    Do we have training material for our employees so that they understand when a data processing agreement has to be concluded with a service provider?

    Are we ourselves acting as data processors? In this case, do we enter into data processing agreements with our customers?

    Does the company assign processors?
    Does the outsourcing of data processing comply with the general data protection principles?

    Art. 9 Data processing by processors

    1 The processing of personal data may be assigned to a processor by agreement or by legislation if:
    a. the data is processed only in the manner permitted for the controller itself; and
    b. it is not prohibited by a statutory or contractual duty of confidentiality.

    2 The controller must in particular ensure that the processor guarantees data security.

    3 The processor may assign the processing to a third party only with the prior authorisation of the controller.

    4 It may invoke the same justifications as the controller.