KMU-Magazin No. 04/05, April/May 2022 Data processing agreements and Data protection
Due to the increasing flood of data, companies are increasingly employing external service providers for data processing. This article looks at whether and how specific agreements have to be made which concern data security and data protection.
Progressive digitalisation has many positive aspects and can greatly support and simplify work processes. However, it also causes considerable amounts of data. The offer of third parties who specialise in certain areas and types of external data processing is also noticeably increasing. As a result, companies are making use of such services and thus a large number of data processing tasks are being carried out externally.
This in turn means that companies have to pay even more attention to data security. Inevitably, data protection becomes an issue as well as the question whether a data processing agreement with external third parties is necessary.
The current legal situation in Switzerland concerning data protection is complex. The new Federal Data Protection Act (nFADP) scheduled for 1 September 2023 has still not been definitively determined by the Federal Council. And Swiss companies may find themselves subject to the European General Data Protection Regulation (EU GDPR), which has been in force since May 2018, in addition to the Federal Data Protection Act (FADP) still in force today.
When considering outsourcing data processing to a third party, it is important to note that when personal data is being processed by a third party, an agreement should preferably be concluded between the client and the contractor.
But when is a data processing agreement (DPA) necessary? This question is not always easy to answer.
In the case of data processing by third parties, a person provides another person with the data to be processed. However, when analysing the legal relationship, the type of data processing has to be closely examined in order to distinguish between a "simple" data processor, with whom a DPA should be concluded, and a contractor who intends other more essential purposes with the data processing. The result of the analysis is also decisive, among other things, for the question of liability for data protection violations.
A DPA is concluded between a so-called controller (according to nFADP and EU GDPR; FADP: instructing party/controller of the data file) and a data processor (nFADP/EU GDPR: processor). As the name suggests, the controller is central. The controller is the person who decides on the purpose and content or means of the data processing and is therefore responsible for ensuring that the data processing complies with the legal requirements.
The controller has to carry out risk analyses for the data to be processed and, based on their results, implement adequate organisational and technical measures to protect the data (in particular against loss, misuse and alteration by unauthorised third parties) as well as for the security of the data processing. The data processor, on the other hand, assumes a processing role and acts on behalf of the controller.
The difficulty thus lies in correctly qualifying relationships. For companies with outsourced payroll accounting, for example, a DPA is necessary. This also applies to IT service providers (e.g. hosting providers), trustees and shipping companies. However, there is no exhaustive list. If, on the other hand, the core competence of a third party and its added value does not lie in the sole processing of data on behalf of another party and if the third party also processes this data for its own authorised purposes, it can no longer be said to be "only" processing on behalf of another party.
Thus, the recruiter who works on behalf of his client is himself a controller with regard to the processing of personal data within the scope of the mandate, since his essential service does not consist of the provision of data processing; the latter is in this sense only the means to an end, since the aim of the service here is job placement. The same conclusion also applies to lawyers or tax advisors, for example. Furthermore, there is the possibility that several parties can make relevant decisions regarding ends and means. In such a constellation, one speaks of co-responsibility (joint responsibility).
In principle, it can be stated that the person responsible is the one who initiates the data processing, determines the goal and thus the purpose of this processing, as well as decides on the parameters (collection category, evaluation methodology, generally the type and ultimately also the duration of the processing, etc.), i.e. the means of data processing. Anyone who only has a processing role does not fall within the scope of controller.
Anyone who processes personal data is responsible for data security. The principle that personal data has to be protected against unauthorised processing by means of adequate technical measures (i.e. measures of a physical nature, password complexity, access authorisations, user accounts, pseudonymisation and/or encryption of data, etc.) as well as organisational measures (certain procedures and methods, instructions, etc.) is currently already anchored in the law. If third parties are commissioned to process data, the instructing party must also ensure that the third parties can guarantee data security in the same way.
According to the EU GDPR and the not yet applicable nFADP, it is explicitly stated that the controller as well as the processor are obliged to ensure "a level of data protection/security appropriate to the risk". The determination of the adequate technical and organisational measures thus implies, as already explained, a risk analysis. In this regard, the controller has to ask himself how high the risk of a violation of the privacy or fundamental rights of this person is if his data were to fall into the hands of unauthorised persons. Data security measures have to be taken accordingly.
In connection with data security, the concept of Privacy by Design is also important. It is explicitly made mandatory under the nFADP, as this is already the case in the EU GDPR. This means that technical provisions have to be taken in such a way that a breach of data protection is completely impossible or the risk of such a breach is minimised as much as possible. The controller is also required to ensure, by means of suitable default settings, that the processing of personal data is limited to the minimum necessary for the purpose of use (Privacy by Default).
In principle, the following statement can be made: The more sensitive the data, the more sophisticated, complex and comprehensive the data security measures must be.
It is important to emphasise here that a controller cannot evade its responsibility for data security by using the services of an external IT service provider, for example. It is up to the controller – who knows and must know best about the nature and sensitivity of the data processed by the data processor – to ensure the adequacy of the technical and organisational measures by selecting such measures accordingly, whereby the data processor can and probably usually will assist the controller in an advisory capacity.
In the EU GDPR under its article 28 it is clearly stipulated which aspects have to be dealt with in a DPA. This is exhaustively regulated in eight points. In Switzerland, the situation is different. Neither the FADP, which is still in force today, nor the nFADP describe the content of a DPA in more detail. The lack of explicit specification in the Swiss law of the content requirements of a DPA can lead to uncertainties in the application of the law.
However, it is also not advisable to adopt an EU GDPR-compliant contract without having a further look at it – unless the EU GDPR is applicable to the controller – as it often refers to other laws and there are also terminological differences between the FADP/nFADP and the EU GDPR. Yet, the controller is in any case well advised to regulate with the processor in particular the concretisation of the content of the agreement, its authority to issue instructions, the technical and organisational measures to be taken for data security, the handling of breaches of data security as well as liability. In addition, provisions regarding the correction, restriction, deletion and return of personal data should be agreed upon.
In any case, it is advisable to carefully draft a DPA. This applies all the more since the entry into force of the nFADP means that a fine of up to CHF 250,000 can be imposed in the event of a breach of this duty of care. Under the EU GDPR, an administrative fine of up to EUR 10,000,000 or, in the case of an undertaking, up to two percent of its total worldwide annual turnover of the preceding financial year, whichever is higher, can already be imposed.
The controller has to comply with considerable obligations in connection with the processing of personal data. The outsourcing of activities may trigger additional data protection obligations for the controller. As soon as the future nFADP is in force, the controller will have to meet even higher requirements than under the current FADP, whereby it should be noted that for certain companies the EU GDPR may already apply.
Due to the legal obligations imposed on the controller and the potentially severe sanctions that may already now result from non-compliance with these obligations – in addition to the threat of reputational damage and loss of turnover – it is advisable and appropriate to deal thoroughly with the topic of the data processing agreement.
Whether a data processing agreement is legally necessary requires a legal analysis, which can be time-consuming and complicated. For an assessment, it is therefore recommended to seek legal assistance, which can also help with the possible drafting of a data processing agreement.
Click for the article: