What you should bear in mind when outsourcing
If you assign the processing of personal data to a processor (e.g. a cloud provider, web hosting company, mail order firm, call centre, fiduciary company or IT support company), you remain responsible for data protection. You must ensure that the data is processed in accordance with the contractual or statutory requirements.
The controller (instructing party) must actively ensure that the processor complies with the law to the same extent that it would itself. This applies in particular to compliance with general principles, rules on data security, and rules on cross-border disclosure. By analogy with Article 55 of the Swiss Code of Obligations (employer's liability), the controller must prevent violations of the FADP. The controller is also required to select its processor with care, to provide appropriate instruction and to monitor the processor where necessary.
Data processing within the same legal entity (subsidiary, administrative unit, employees) does not constitute processing by a processor.
Obligations of the processor
- Processors must meet their obligations towards controllers, in particular they must report breaches of data security so that controllers can comply with their duty to notify the FDPIC in accordance with Article 24 paragraph 1 FADP.
- In principle, processors must not process personal data for their own purposes. However, if they do, the processor must be able to claim their own grounds in justification.
The obligations of controllers
In accordance with Article 9 FADP, controllers must contractually ensure and satisfy themselves that:
- the data is only processed in the manner in which the controller itself is permitted to do it:
It is important to ensure that the processor only processes the outsourced data in accordance with the controller's instructions and to regulate how these instructions are delivered.
- no duties of confidentiality are being breached
In certain circumstances, data is subject to statutory or contractual duties of confidentiality (e.g. professional secrecy, bank client confidentiality, official secrecy). If this is the case, you should ensure that outsourcing data that is deemed confidential does not result in a breach of the controller's duty of confidentiality.
- the processer is taking appropriate steps to ensure data security
The controller must satisfy itself in particular that the processor is able to guarantee data security.
Besides checking and contractually safeguarding the technical and organisational measures put in place by the processor to protect its systems and the processed data, it may also be wise to check how the processor ensures that the implemented measures are appropriate and effective with regard to the state of the art and the risk involved. This can be done by means of audits and certifications, for example.
- subcontracting can only take place with controller’s consent
The processor may only assign the processing to a third party with the prior consent of the controller. In the private sector, the consent is not required to take any particular form. However, the processor must provide evidence that consent has been granted. This may be a general declaration of consent. In this case, the processor must notify the controller of every change (if processors are substituted or new ones brought in) to give the controller the opportunity to object to the changes.
- the controller remains able to meet its obligations towards the supervisory authority and data subjects
To this end it may be wise to put in place contractual agreements (e.g. duty to cooperate) and organisational measures to ensure that data that is outsourced can be deleted or corrected where necessary, and that it can be located for the processing of a request for information.
If the outsourcing leads to cross-border disclosure of personal data, the following must also be checked:whether the countries in which the data is processed have an appropriate level of data protection.
This step requires information on the locations of data processing and/or the registered office or domicile of the processor or sub-processor. If the processor/cloud service provider is located in a country that does not have a comparable level of data protection to Switzerland, or the data is processed in countries that do not have an appropriate level of protection compared with Switzerland, the data cannot be disclosed unless steps are taken to ensure that the data transmission will enjoy an appropriate level of protection abroad. Please refer to our explanations on the cross-border disclosure of personal data.
Use of cloud services
If data is stored in a cloud, this is in principle a specific form of outsourced processing which must meet the relevant requirements. You'll find further information on this in our Information on data processing in a cloud.
Rights of data subjects
As a data subject, you can exercise your rights (see 'My rights') directly in relation to the controller at any time.Even if the controller assigns the processing of personal data to a processor, the controller remains responsible for providing information. If the controller is unable to provide the information itself, it must forward the request to the processor. The processor is required to assist the controller in providing information, assuming it does not respond to the request itself on behalf of the controller.
Last modification 24.08.2023