☝ If you don't have a DPA agreement yet, feel free to use Secfix template and tailor it according to your organization. You'll find the template under your Shared Drive or ask your Customer Success Manager.
When sharing personal data with external providers, the nFADP mandates that your company upholds equivalent data security standards. This is achieved through Data Processing Agreements (DPAs).
Remember, as the data controller, you shoulder the responsibility for the data's security. Crafting the DPAs is your job, not the data processor's. While the processor works on your instructions, it's your duty to ensure they maintain the right data protection standards.
💡 If you are already subject to the GDPR and have concluded corresponding DPAs with your data processors, you only need to adapt them slightly: You only need to refer to the Swiss FADP in addition to the GDPR.
What's included in the DPA?
The nFADP does not prescribe any minimum content for the data processing agreement. It is recommended to follow the requirements of the GDPR. Based on this, we recommend the following content:
Parties Identification: Define the roles of data controller and processor.
Data Purpose: Specify why and how the data will be processed.
Instruction Adherence: Ensure the processor acts according to your directives.
Confidentiality: Set guidelines for data non-disclosure.
Data Security: Outline protection measures against unauthorized access, loss, or theft.
Sub-processing: Explicitly require your approval if the processor wants to share data with another entity.
Breach Notifications: Define processes and timelines for reporting any data breaches.
Support Duties: Detail responsibilities during security breaches or data requests.
Audit Rights: Agree on potential data protection audits.
Data Return/Deletion: Set guidelines for data handling post-contract.
How to craft a DPA?
Here’s how to legally secure your third-party processing activities:
Inventory: Identify all data processors you share personal data with.
Drafting: Use Secfix template and tailor it according to your organization. You'll find the template under your Shared Drive.
Negotiations: Discuss and finalize the DPA details with each processor.
Contract Conclusion: After finalizing details, sign and safely store the DPAs for evidence of legal compliance under the Vendors Page.
Lastly, these rules are for processors within Switzerland or in recognized safe third countries. For international transfers, specific measures are needed, discussed in the following section.