Outsourcing of data processing

Outsourcing of data processing

What you should bear in mind when outsourcing

If you assign the processing of personal data to a processor (e.g. a cloud provider, web hosting company, mail order firm, call centre, fiduciary company or IT support company), you remain responsible for data protection. You must ensure that the data is processed in accordance with the contractual or statutory requirements.

The controller (instructing party) must actively ensure that the processor complies with the law to the same extent that it would itself. This applies in particular to compliance with general principles, rules on data security, and rules on cross-border disclosure. By analogy with Article 55 of the Swiss Code of Obligations (employer's liability), the controller must prevent violations of the FADP. The controller is also required to select its processor with care, to provide appropriate instruction and to monitor the processor where necessary.

Data processing within the same legal entity (subsidiary, administrative unit, employees) does not constitute processing by a processor. 

Obligations of the processor

  1. Processors must meet their obligations towards controllers, in particular they must report breaches of data security so that controllers can comply with their duty to notify the FDPIC in accordance with Article 24 paragraph 1 FADP.  
  2. In principle, processors must not process personal data for their own purposes. However, if they do, the processor must be able to claim their own grounds in justification.

The obligations of controllers

In accordance with Article 9 FADP, controllers must contractually ensure and satisfy themselves that:

  1. the data is only processed in the manner in which the controller itself is permitted to do it:
    It is important to ensure that the processor only processes the outsourced data in accordance with the controller's instructions and to regulate how these instructions are delivered. 
  2. no duties of confidentiality are being breached
    In certain circumstances, data is subject to statutory or contractual duties of confidentiality (e.g. professional secrecy, bank client confidentiality, official secrecy). If this is the case, you should ensure that outsourcing data that is deemed confidential does not result in a breach of the controller's duty of confidentiality. 
  3. the processer is taking appropriate steps to ensure data security
    The controller must satisfy itself in particular that the processor is able to guarantee data security. 
    Besides checking and contractually safeguarding the technical and organisational measures put in place by the processor to protect its systems and the processed data, it may also be wise to check how the processor ensures that the implemented measures are appropriate and effective with regard to the state of the art and the risk involved. This can be done by means of audits and certifications, for example. 
  4. subcontracting can only take place with controller’s consent
    The processor may only assign the processing to a third party with the prior consent of the controller. In the private sector, the consent is not required to take any particular form. However, the processor must provide evidence that consent has been granted. This may be a general declaration of consent. In this case, the processor must notify the controller of every change (if processors are substituted or new ones brought in) to give the controller the opportunity to object to the changes.
  5. the controller remains able to meet its obligations towards the supervisory authority and data subjects
    To this end it may be wise to put in place contractual agreements (e.g. duty to cooperate) and organisational measures to ensure that data that is outsourced can be deleted or corrected where necessary, and that it can be located for the processing of a request for information. 

Cross-border disclosure

If the outsourcing leads to cross-border disclosure of personal data, the following must also be checked:whether the countries in which the data is processed have an appropriate level of data protection.

This step requires information on the locations of data processing and/or the registered office or domicile of the processor or sub-processor. If the processor/cloud service provider is located in a country that does not have a comparable level of data protection to Switzerland, or the data is processed in countries that do not have an appropriate level of protection compared with Switzerland, the data cannot be disclosed unless steps are taken to ensure that the data transmission will enjoy an appropriate level of protection abroad. Please refer to our explanations on the cross-border disclosure of personal data.  

Use of cloud services

If data is stored in a cloud, this is in principle a specific form of outsourced processing which must meet the relevant requirements. You'll find further information on this in our Information on data processing in a cloud. 

Rights of data subjects

As a data subject, you can exercise your rights (see 'My rights') directly in relation to the controller at any time.Even if the controller assigns the processing of personal data to a processor, the controller remains responsible for providing information. If the controller is unable to provide the information itself, it must forward the request to the processor. The processor is required to assist the controller in providing information, assuming it does not respond to the request itself on behalf of the controller.

Data protection certification

The certification of systems, products and services promotes transparency in data processing.

Cross-border transfer of personal data

The cross-border transfer of personal data is subject to special rules. The following must be considered before data is transferred to other countries.

Data processing in the cloud

More and more businesses and public authorities are using cloud services and outsourcing their data or data processing tasks to a cloud service provider

Privacy statements on the internet

Who needs a privacy statement and what should it contain?

Questions on data protection

Take a look at our FAQ or call our hotline.


Access privacy recommendations and onward moves.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Last modification 24.08.2023

Top of page