Data Processing Agreement Template for Switzerland

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Data Processing Agreement?

The Data Processing Agreement is a mandatory legal document required under Swiss data protection law when a company (data controller) engages another party (data processor) to process personal data on its behalf. This agreement has become increasingly important with the implementation of the new Swiss Federal Act on Data Protection in 2023, which brought Swiss law closer to GDPR standards. The document outlines specific obligations, security measures, and compliance requirements for both parties, ensuring proper handling of personal data and protection of data subjects' rights. It is particularly crucial for international businesses operating in or through Switzerland, as it must address both domestic requirements and potentially international data protection standards. The agreement typically includes detailed technical specifications, security measures, breach notification procedures, and data transfer mechanisms, making it an essential tool for maintaining regulatory compliance and establishing clear accountability in data processing relationships.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

Switzerland

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Data Processing Agreement

A Data Processing Agreement is a critical legal document that governs the relationship between data controllers and data processors under Swiss data protection law. When your organization engages external service providers to handle personal data, this agreement ensures compliance with the Swiss Federal Act on Data Protection (FADP) and protects both parties from regulatory risks.

When do you need this document?

You need a Data Processing Agreement whenever your company acts as a data controller and outsources data processing activities to third-party service providers. This includes engaging cloud service providers, payroll companies, marketing agencies, IT support firms, or any vendor that will access, store, or process personal data on your behalf. The agreement is also required when you act as a data processor for other organizations. International companies operating in Switzerland must have these agreements in place before any data processing begins, as Swiss law requires written contracts for all data processing arrangements.

Key legal considerations

Your Data Processing Agreement must clearly define the scope and purpose of data processing, specifying exactly what data will be processed and for what purposes. The document should include robust security measures and technical safeguards to protect personal data, along with detailed procedures for data breach notification and incident response. You must address data subject rights, including access, rectification, and deletion requests, and establish clear procedures for handling these requests. The agreement should specify data retention periods, deletion procedures, and return of data upon contract termination. Subprocessor arrangements require special attention, including written authorization requirements and ensuring subprocessors meet the same data protection standards. Cross-border data transfers need specific legal mechanisms and adequacy assessments.

Legal requirements in Switzerland

Under the Swiss Federal Act on Data Protection (FADP), effective since September 2023, data processing agreements must meet specific legal standards. The agreement must be in writing and signed before any data processing begins. Swiss law requires data processors to implement appropriate technical and organizational measures to ensure data security, with specific obligations for data breach notification within 72 hours to relevant authorities. The FADP mandates that data processors may only process data according to the controller's instructions and must immediately inform controllers of any legal violations or compliance issues. For international data transfers, you must ensure adequate protection levels or implement appropriate safeguards such as standard contractual clauses. The agreement must specify the data processor's obligations regarding data subject rights and cooperation with Swiss data protection authorities. Additionally, if your organization processes data of EU residents, you may need to comply with GDPR requirements alongside Swiss law, requiring careful coordination between both regulatory frameworks.

GOVERNING LAW

Applicable law

This Data Processing Agreement is drafted to comply with Switzerland law. Key legislation includes:

Swiss Federal Act on Data Protection (FADP/nFADP): The new Federal Act on Data Protection (effective September 2023) which modernizes Swiss data protection law and brings it closer to GDPR standards. This is the primary legislation governing data protection in Switzerland.
Swiss Federal Ordinance on Data Protection: The implementing ordinance that provides detailed requirements and specifications for implementing the FADP, including specific obligations for data processors.
EU General Data Protection Regulation (GDPR): While not directly applicable in Switzerland, GDPR is relevant due to its extraterritorial scope and Switzerland's close alignment with EU standards. Many Swiss companies process EU residents' data or work with EU companies.
Swiss Code of Obligations: The federal act governing contract law in Switzerland, which provides the general legal framework for contractual relationships and obligations between parties.
Swiss Criminal Code: Contains provisions regarding data theft, unauthorized access to data processing systems, and breach of professional confidentiality, which may be relevant for data processing violations.
Federal Act on Financial Market Infrastructures (FMIA): Relevant if the data processing involves financial sector data, as it contains specific requirements for data handling in financial services.
Swiss Banking Act: Important if the data processing involves banking data, as it contains specific provisions about banking secrecy and data handling in the banking sector.

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it