What needs to be included in a Data Processing Agreement?

What needs to be considered in the data processing agreement?

To protect personal data of data subjects, a data processing agreement must be set up when data are shared with a third party. Your company incorporates the role of the controller in this relationship. This means that you are also responsible for ensuring compliance with data protection laws. Overall, you must ensure that the processor (e.g. the contractor) is correctly informed. The processor must be able to process the transferred data and to handle the data after the order has been completed. Under the General Data Protection Regulation (GDPR), clear provisions are stated with regard to the requirements in the data processing agreement, whereas the revised Federal Act on Data Protection (revFADP) does not include this level of detail. The revFADP merely states that:

• the processing of personal data may be assigned by agreement or by legislation to a processor if the data are processed only in a manner permitted for the controller itself; and if no statutory or contractual duty of confidentiality prohibits the assignment
• the controller must ensure that the processor can guarantee data security
• the processor may only assign the processing to a third party with the prior authorisation of the controller.
• Finally, the processor may invoke the same justifications as the controller.

Which aspects should be mentioned in the agreement?

You, as the controller, must ensure that the processor is aware of its obligations and that your contractor complies with confidentiality provisions. To facilitate the process, this should be stated in detail in your processing agreement.

By signing the written agreement, the processor undertakes to adhere to the framework set out in writing and to process the data accordingly. After completion of the contractual relationship, all processing and documents that contain data must be returned to the client or deleted if necessary. The processor’s duty of confidentiality continues to exist after the order has been completed.

What happens in the case of events not covered by the agreement?

If events occur that have not been specified in writing, you, as the controller, must be consulted to discuss the further procedure. If the consultation reveals that a permanent change in the data processing is needed, the agreement must be adapted in a compatible manner. Moreover, the processor is obliged to inform the client of any suspected violation of data protection law. In addition, the controller also has the right of inspection at any time.

What if we are already using a GDPR-compliant data processing agreement?

If you already have data processing agreements in place under GDPR, you are in principle also ‘good to go’ under the revFADP. Nevertheless, you should still perform a review in which the data processing agreements are amended with the corresponding Swiss references to the revFADP and including any particularities of the Swiss data protection law.

What do I need to consider when writing my first data processing agreement from scratch? 

If you are starting from nothing and you are about to draw up these contracts, the following points should be considered for new processors (e.g. service providers):

• Do not forget to include liability clauses.
• State in writing that data security must be guaranteed and how this process takes place.
• Make sure that affected data subjects are informed about the transfer of data to a cloud provider.
• Moreover, you must mention the storage location of the data and provide additional clarification in the case of third countries.
• Use an appropriate description of the Technical and Organisational Security Measures used by the processor.

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en