Switzerland: Overview of Vendor Privacy Contracts
On September 25, 2020, the Federal Parliament enacted a revised Federal Act on Data Protection. Subsequently, on August 31, 2022, the Federal Council resolved a revised Ordinance to the Federal Act on Data Protection. Both of these will enter into force on September 1, 2023. The revised data protection law implements the requirements of the Council of Europe's modernized Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data and is aligned with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, it should be noted that there are certain significant deviations from the GDPR.
Although Switzerland is neither a member of the European Union ('EU') nor of the European Economic Area ('EEA'), the GDPR may under certain circumstances apply to Swiss-based companies due to its extraterritorial scope of applicability.
Despite the above, the following Insight article focuses on the Swiss data protection law in force in September 2022.
1. Governing texts
Governing texts in force in September 2022:
- The Federal Act on Data Protection of June 19, 1992 (SR 235.1) ('FADP');
- The Ordinance to the Federal Act on Data Protection of June 14, 1993 (SR 235.11) ('OFADP').
Revised governing texts (entry into force on September 1, 2023):
- The revised Federal Act on Data Protection of September 25, 2020 ('revised FADP') (only available in German here, in French here, and in Italian here);
- The revised Ordinance to the Federal Act on Data Protection of August 31, 2022 ('revised OFADP') (currently only available in German here, in French here, and in Italian here).
1.2. Regulatory authority guidance
Key non-binding guidelines by the Federal Data Protection and Information Commissioner ('FDPIC') include:
- Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6(1) of the Swiss Federal Act on Data Protection;
- Guide to checking the admissibility of direct or indirect data transfers to foreign countries (Art. 6(2)(a) of the FADP);
- Guidelines on data subjects' rights regarding the processing of personal data (only available in German here, in French here, and in Italian here);
- Guidelines on the processing of personal data in the private sector (only available in German here, in French here, and in Italian here); and
- Guide for technical and organizational security measures.
Additional guidelines on various topics regarding data protection can be obtained from the website of the FDPIC (full version only available in German here).
1.3. Regulatory authority templates
In its statement of August 27, 2021, the FDPIC recognized the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ('SCC') as a basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law. Therefore, the following decisions by the European Commission on SCC for transfers of personal data to third countries are of relevance for Switzerland:
- Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance); and
- Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (Text with EEA relevance).
The FDPIC has released the following explanations to show which adaptations and amendments must be made to the SCC:
- The transfer of personal data to a country with an inadequate level of data protection based on recognized standard contractual clauses and model contracts.
The Swiss Transborder Data Flow Agreement ('TBDFA') of November 2013 is no longer recognized by the FDPIC and may only remain in use during a transitional period until December 31, 2022, provided that the data processing and the pre-existing agreement do not change significantly in the meantime. A new TBDFA does not exist yet, the FDPIC is currently in the process of revising it.
Controller of the data file ('controller'): The term 'controller' refers to the natural or legal person, public authority, agency, or other body which decides on the purpose and content of a data file (Article 3(i) of the FADP).
Data file: Any set of personal data that is structured in such a way that the data is accessible by data subjects (Article 3(g) of the FADP).
Data subjects: The natural or legal persons whose data is processed (Article 3(b) of the FADP). Under the revised FADP, however, data of legal persons are not covered anymore.
Personal data ('Data'): All information relating to an identified or identifiable person (Article 3(a) of the FADP).
Processing: Any operation with data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving, or destruction of data (Article 3(e) of the FADP).
Processor: The FADP distinguishes between controllers and Third Parties processing personal data on behalf of such controllers (Article 10a(1) of the FADP). The revised FADP, however, will use the term 'processor' instead of the term 'Third Party'. Since the term 'processor' is also commonly used in the international context and in order to avoid any misunderstandings, this term is used hereafter instead of the term 'Third Party'.
Sensitive personal data: Data on religious, ideological, political, or trade union-related views or activities, health, the intimate sphere or the racial origin, social security measures, and administrative or criminal proceedings and sanctions (Article 3(c) of the FADP). The revised FADP will add genetic data and biometric data that uniquely identify an individual.
3. Contractual requirements
3.1. Are there requirements for a contract to be in place between a controller and a processor?
Article 10a(1) of the FADP requires that the processing of personal data may be assigned by agreement or by law if the data is processed only in the manner permitted for the instructing party itself and it is not prohibited by a statutory or contractual duty of confidentiality. The FADP does not stipulate the form in which the agreement has to be concluded. In practice, it is advisable to conclude a written agreement. If data is transferred abroad, the provisions on cross-border transfers additionally need to be followed and the controller must additionally verify that the processor guarantees the security of the data. Under the revised FADP, the situation is similar.
3.2. What content should be included?
Usually, a contract should include the following topics:
- subject and scope of the data processing;
- rights and obligations of the parties;
- reporting requirements;
- purpose of the data processing;
- location of the data processing;
- authority over the data;
- subcontracting relationships;
- protection of data subject rights;
- secrecy obligations;
- technical and organizational measures;
- contractual penalties;
- duration and termination of the contract;
- applicable law and place of jurisdiction;
- if necessary, clauses for the transfer of personal data abroad (e.g. SCC); and
- if necessary, clauses on the processor's obligation to guarantee the security of the data.
Unlike Article 28(3) of the GDPR, the FADP does not include content-related requirements. However, a controller may use the GDPR requirements as a guide on how to comply with its obligations under Swiss law.
4. Data subject rights handling and assistance
4.1. Are processors required to assist controllers with the handling of data subject requests?
In connection with the right to information, the controller remains under an obligation to provide information, if they have personal data processed by a processor (Article 8(4) of the FADP). According to Article 1(6) of the OFADP, the controller must pass the request for information to the processor, if the request relates to data that is being processed by the processor on behalf of the controller and if the controller is not able to provide the information. In certain situations, the processor may even be obliged to provide the information directly to the data subject (Article 8(4) of the FADP). These situations include when the processor fails to disclose the identity of the controller or when the controller is not domiciled in Switzerland.
In general, processors may be required to assist controllers with the handling of data subject requests due to their contractual obligations.
For further information on data subject rights under the FADP, see Switzerland – Data Subject Rights.
5. Processor recordkeeping
5.1. Are processors required to keep records of their processing activities?
Controllers must register their data files with the FDPIC if they regularly process sensitive personal data or regularly disclose personal data to third parties (Article 11a(3) of the FADP). They are exempted from this registration obligation under certain circumstances (e.g. the processing of data in terms of a statutory obligation, etc.). On the other hand, there is no such requirement for processors.
Under the revised FADP, the obligation to register data files will no longer apply to controllers. Instead, both controllers and processors will have to keep records of their processing activities. According to the revised OFADP, companies and other organizations under private law that employ fewer than 250 employees on January 1 of a year, as well as natural persons, are exempt from the obligation to keep a register of processing activities, unless personal data requiring special protection is processed on a large scale or high-risk profiling is carried out.
The records kept by processors will have to include, among other things:
- the identity of the processor and the controller;
- the categories of processing carried out on behalf of the controller;
- when possible, a general description of the technical and organizational security measures; and
- if applicable, transfers of personal data abroad, including the identification of the country and the documentation of suitable safeguards.
6. Security measures
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
Ensuring data security is one of the most basic principles of data protection. According to Article 10a(2) of the FADP, controllers have to ensure that processors implement appropriate security measures. The implementation and compliance with the security measures should be audited by the controller.
Article 7(1) of the FADP stipulates that personal data must be protected against unauthorized processing through adequate technical and organizational measures. Under the revised FADP, processors will be explicitly required to ensure appropriate data security. Anyone who as a private entity processes personal data must ensure the confidentiality, availability, and integrity of the data to ensure an appropriate level of data protection (Article 8(1) of the OFADP). In particular, the systems must be protected against the following risks:
- unauthorized or accidental destruction;
- accidental loss;
- technical faults;
- forgery, theft, or unlawful use; and
- unauthorized alteration, copying, access, or other unauthorized processing.
In assessing the appropriate level of security, the following criteria must be taken into account (Article 8(2) of the OFADP):
- purpose of the data processing;
- nature and extent of the data processing;
- assessment of the possible risks to the data subjects; and
- current state of the article.
These measures must be reviewed periodically. The OFADP lists several specific measures to guarantee the right of access and to have data corrected (Article 9(2) of the OFADP), as well as the logging (Article 10 of the OFADP), documentation (Article 11 of the OFADP), and disclosure of data (Article 12 of the OFADP).
7. Breach notification
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there a timeframe and content requirements?
There is no statutory requirement for processors to notify controllers of data breaches. However, a notification obligation may be derived from other provisions within the FADP or pursuant to the principles of good faith and transparency. In addition, processors are often bound by contractual provisions that require the disclosure of data breaches. Furthermore, Article 7(1) of the FADP stipulates that personal data must be protected against unauthorized processing through adequate and organizational measures. These organizational measures may include the duty to notify a controller in the event of a data breach. Finally, Swiss law imposes sector-specific data security obligations on various industries and market participants (e.g., financial services organizations, healthcare providers, etc.).
Under the revised FADP, however, processors will be legally required to notify the controller about any data security breach. Although the revised FADP does not explicitly mention the content requirements for processors, the requirements for controllers may be used as a guideline:
- nature of the data breach;
- time and duration of the data breach (if known);
- categories and approximate number of personal data concerned (if known);
- categories and approximate number of data subjects (if known);
- consequences, including any risks, for the data subjects;
- measures that have been taken or are being planned to remedy the breach or mitigate the consequences of the breach; and
- name and contact details of a contact person.
Furthermore, the notification has to be made as soon as possible.
For further information see Switzerland – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
The FADP does not regulate subprocessors. According to the revised FADP, however, the involvement of subprocessors will only be permitted with the approval of the controller. Approval means the consent of the responsible person in the individual case or a general term. In the latter case, the controller must be informed about the subprocessor by name, country, and task. Additionally, the controller needs to have the possibility to object to the data processing by the subprocessor.
9. Cross-border transfers
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
Article 6(2)(a) of the FADP stipulates that personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular in the absence of legislation that guarantees adequate protection. Therefore, cross-border data transfer restrictions under the FADP apply to both controllers and processors.
In general terms, transfers that seriously endanger the privacy of the data subjects are prohibited, unless one of the following criteria is met:
- the existence of a decision by the FDPIC that the recipient destination provides an adequate level of protection for data (Article 7 of the OFADP);
- in the absence of legislation that guarantees adequate protection, according to Article 6(2) of the FADP, personal data may be disclosed abroad only if (alternatively):
- sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad (e.g. SCC, see section on regulatory authority templates above);
- the data subject has consented in the specific case;
- the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;
- disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise, or enforcement of legal claims before the courts;
- disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;
- the data subject has made the data generally accessible and has not expressly prohibited its processing; or
- disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.
The FDPIC maintains a list of countries, whose legislation ensures an adequate level of data protection (only available in German here and in French here). India, Russia, Turkey, and the United States of America, for example, do not meet the requirements for an adequate level of data protection in the meaning of the FADP. The situation is similar under the revised FADP.
For further information see Switzerland – Data Transfers.
10. Regulatory assistance
10.1. Are processors required to assist controllers with regulatory investigations?
Under the current FADP, the FDPIC is not allowed to conduct regulatory investigations. Under the revised FADP, however, the FDPIC will be allowed to conduct regulatory investigations against private and public entities. Private and public entities, such as a controller or a processor, will be required to assist the FDPIC with ongoing regulatory investigations. They will be obliged to provide the FDPIC with all the information and documents necessary for the investigation.
11. Processor DPO/representative
11.1. Are processors required to appoint a DPO/representative?
Data Protection Officer ('DPO')
Appointing a DPO is neither required under the FADP currently in force nor under the revised FADP. While the revised FADP includes the figure of the 'data protection advisor', it only mentions it in connection with the controller. It may be advisable to appoint a DPO voluntarily, as compliance with documentation and notification obligations under the revised FADP requires businesses, in practice, to establish an internal data protection function.
For further information see Switzerland – Data Protection Officer Appointment.
Under the FADP, it is not required to appoint a representative. As per the revised FADP, however, a controller with a registered office or place of residence abroad will under certain conditions need to designate a representative in Switzerland, if the controller processes any personal data of individuals in Switzerland. The revised FADP mentions representatives only in connection with controllers. Therefore, processors are – even under the revised FADP – not required to appoint a representative.
12. Supervision and monitoring
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
Article 10a(2) of the FADP stipulates that the controller has to make sure that the processor provides sufficient guarantees regarding its compliance with data security. This means that the controller provides the processor with clear specifications and monitors its implementation and compliance. Additionally, a duty to supervise and monitor processors' compliance with the law and contract may also be derived from other provisions within the FADP such as Article 7(1), which stipulates that data must be protected against unauthorized processing through adequate and organizational measures. Such measures may include the supervision of the processors' compliance with the law and contractual obligations.