Legal Templates
Data Controller DPA

Data Controller DPA Template for Switzerland

Create a bespoke document in minutes, or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Controller DPA

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Controller DPA

"I need a Data Controller DPA under Swiss law for our cloud-based healthcare software company that will process patient data from both Swiss and EU hospitals, with specific provisions for GDPR compliance and healthcare industry standards, to be implemented by March 2025."

Celebrated by
Collaborations with
Investors

What is a Data Controller DPA?

This Data Controller DPA is essential for any organization that engages third parties to process personal data under Swiss jurisdiction. The document is specifically designed to meet the requirements of Swiss data protection law, including the Federal Act on Data Protection and its revised version, while also considering international data protection standards where applicable. It serves as a legally binding agreement that defines the relationship between a data controller and data processor, establishing clear guidelines for data handling, security measures, breach notifications, and compliance requirements. This agreement is particularly crucial given Switzerland's strict data protection regime and its position as a major international business hub, often requiring compliance with both Swiss and EU data protection standards. The document should be implemented before any data processing activities commence and updated as regulatory requirements or processing activities evolve.

What sections should be included in a Data Controller DPA?

1. Parties: Identification of the data controller and data processor, including full legal names, registration details, and addresses

2. Background: Context of the agreement, relationship between the parties, and purpose of data processing activities

3. Definitions: Key terms used throughout the agreement, including technical and legal terminology aligned with Swiss data protection law

4. Scope and Purpose of Processing: Detailed description of the data processing activities, categories of data, and purposes of processing

5. Obligations of the Processor: Core responsibilities of the processor including processing only on documented instructions, confidentiality, security measures, and assistance obligations

6. Technical and Organizational Measures: Specific security measures required to ensure appropriate level of data protection

7. Sub-processing: Conditions and requirements for engaging sub-processors, including authorization process

8. Data Subject Rights: Procedures for handling data subject requests and processor's obligations to assist

9. Personal Data Breach: Notification requirements and procedures in case of data breaches

10. Audit Rights: Controller's rights to audit and processor's obligations to demonstrate compliance

11. Cross-border Transfers: Rules and safeguards for international data transfers, particularly important under Swiss law

12. Term and Termination: Duration of the agreement and circumstances for termination

13. Return or Deletion of Data: Obligations regarding personal data upon termination of services

14. Liability and Indemnification: Allocation of responsibility and liability between parties

15. Governing Law and Jurisdiction: Specification of Swiss law as governing law and jurisdiction for disputes

What sections are optional to include in a Data Controller DPA?

1. Insurance Requirements: Specific insurance obligations for the processor, recommended for high-risk processing activities

2. Specific Industry Requirements: Additional provisions for regulated industries (e.g., healthcare, financial services)

3. Business Continuity: Requirements for maintaining service continuity, recommended for critical processing activities

4. Cost Allocation: Specific provisions about who bears costs for various compliance activities, useful when significant compliance costs are expected

5. Joint Controller Provisions: Required only when the relationship includes elements of joint controllership

6. Data Protection Impact Assessments: Specific provisions about cooperation in DPIAs, recommended for high-risk processing

7. Representatives: Designation of representatives in Switzerland/EU if parties are not established in these territories

What schedules should be included in a Data Controller DPA?

1. Schedule 1 - Processing Activities: Detailed description of processing activities, including categories of data subjects, types of personal data, and processing purposes

2. Schedule 2 - Technical and Organizational Measures: Detailed specification of security measures implemented by the processor

3. Schedule 3 - Authorized Sub-processors: List of approved sub-processors and their processing activities

4. Schedule 4 - Transfer Mechanisms: Details of mechanisms used for international data transfers, including standard contractual clauses if applicable

5. Schedule 5 - Contact Points: List of key contacts for operational, security, and data protection matters

6. Appendix A - Standard Contractual Clauses: If needed for international transfers, the applicable standard contractual clauses

7. Appendix B - Security Breach Response Plan: Detailed procedures for handling and reporting data breaches

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Laws
Authorized Personnel
Authorized Sub-processor
Controller
Cross-border Transfer
Data Subject
Data Subject Rights
FDPIC
FADP
GDPR
Personal Data
Personal Data Breach
Processing
Processor
Professional Secrecy
Restricted Transfer
Sensitive Personal Data
Services
Standard Contractual Clauses
Sub-processor
Supervisory Authority
Technical and Organizational Measures
Third Country
Transfer Mechanism
Written Instructions
Data Protection Officer
Data Protection Impact Assessment
Records of Processing Activities
Pseudonymization
Anonymization
Joint Controller
Data Minimization
Purpose Limitation
Storage Limitation
Privacy by Design
Privacy by Default
Consent
Swiss Law
EEA
Adequacy Decision
Clauses
Definitions
Scope of Processing
Duration
Data Protection
Processing Instructions
Confidentiality
Security Measures
Sub-processing
Data Transfers
Audit Rights
Data Subject Rights
Data Breach Notification
Liability
Indemnification
Insurance
Termination
Data Return and Deletion
Governing Law
Dispute Resolution
Force Majeure
Assignment
Severability
Entire Agreement
Amendment
Notices
Representatives
Compliance with Laws
Technical Requirements
Service Levels
Personnel Obligations
Reporting Requirements
Documentation
Business Continuity
Exit Management
Relevant Industries

Financial Services

Healthcare

Technology

E-commerce

Manufacturing

Professional Services

Insurance

Telecommunications

Education

Pharmaceutical

Real Estate

Retail

Hospitality

Transportation and Logistics

Energy and Utilities

Relevant Teams

Legal

Compliance

Information Security

Privacy

Information Technology

Risk Management

Procurement

Operations

Data Protection

Vendor Management

Corporate Governance

Internal Audit

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Legal Counsel

Compliance Manager

Information Security Manager

Privacy Manager

Chief Information Security Officer

Chief Legal Officer

Chief Technology Officer

Risk Manager

Procurement Manager

IT Director

Operations Manager

Contract Manager

Chief Operating Officer

Data Protection Specialist

Industries
Swiss Federal Act on Data Protection (FADP/DSG): The primary Swiss data protection law that regulates the processing of personal data by private persons and federal bodies. Currently being revised to align more closely with GDPR standards.
Revised Swiss Federal Act on Data Protection (revFADP): The new version of Swiss data protection law coming into effect in 2023, bringing Swiss law closer to GDPR standards and introducing stronger data protection requirements.
Swiss Federal Constitution Article 13: Constitutional provision guaranteeing the right to privacy and protection against misuse of personal data, forming the legal basis for data protection in Switzerland.
EU General Data Protection Regulation (GDPR): While not Swiss law, GDPR is relevant due to its extraterritorial scope and Switzerland's close economic ties with the EU. Many Swiss companies process EU residents' data.
Swiss Civil Code: Contains general provisions on personality rights and privacy protection that may be relevant to data processing activities.
Swiss Criminal Code (Article 179novies): Criminalizes the unauthorized procurement of personal data, relevant for data security obligations in DPAs.
Federal Act on International Private Law (IPRG): Relevant for cross-border data transfers and determining applicable law in international data processing scenarios.
Ordinance to the Federal Act on Data Protection (VDSG): Implementing ordinance providing detailed requirements for data protection, including technical and organizational measures.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Joint Controller Data Processing Agreement

A Swiss law-governed agreement between joint controllers defining their respective responsibilities and obligations in joint personal data processing activities.

find out more

DPA Data Privacy Agreement

Swiss law-governed Data Processing Agreement defining terms for personal data processing between controller and processor, ensuring FADP compliance with GDPR considerations.

find out more

Data Controller DPA

Swiss law-governed Data Processing Agreement defining terms for handling personal data between controller and processor, compliant with Swiss FADP and relevant international standards.

find out more

Commissioned Data Processing Agreement

A Swiss law-governed agreement establishing terms for commissioned processing of personal data, ensuring compliance with FADP/DSG requirements.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.