ARTICLE
11 July 2025

What Rules Must Be Followed When Appointing A Processor?

FP
FABIAN PRIVACY LEGAL GmbH

Contributor

FABIAN PRIVACY LEGAL GmbH logo
We are a boutique law firm specializing in data, privacy and data protection laws and related issues, information security, data and privacy governance, risk management, program implementation and legal compliance. Our strengths are the combination of expert knowledge and practical in-house experience as well as a strong network with industry groups, privacy associations and experts around the world.
Explore Firm Details
In this part of our series, we analyse what rules must be followed under the Federal Act on Data Protection (FADP) when appointing a processor to process personal data.
Switzerland Privacy
Daniela Fabian

Part 8 of our series on data protection law in Switzerland

In this part of our series, we analyse what rules must be followed under the Federal Act on Data Protection (FADP) when appointing a processor to process personal data.

Statutory provisions

Pursuant to Art. 9 FADP, the processing of personal data may be delegated by contract or by law to a processor, provided that:

  1. the data is only processed in the way the controller itself would be permitted to process it; and
  2. no statutory or contractual duty of confidentiality prohibits such delegation.

The law also requires the controller to ensure that the processor can guarantee data security – for example, by using a checklist or reviewing relevant information security standards (e.g., ISO certifications).

Subcontracting by the processor is only permitted with the controller's prior approval. This approval may be specific or general. In the case of general approval, the processor must inform the controller of any intended changes – in particular, the engagement of new or the replacement of existing sub-processors – and must give the controller the opportunity to object to such changes.

Practical implications

The FADP does not prescribe specific formal requirements or minimum content for data processing agreements. As a matter of best practice, a written data processing agreement (DPA) should be concluded. The agreement may follow the standards set out in the EU General Data Protection Regulation (GDPR). At a minimum, the following provisions should be included:

  • the processor may only process personal data in accordance with the controller's instructions;
  • only authorised individuals bound by confidentiality may have access to the data;
  • sub-processors may only be engaged with the controller's prior approval, considering specific requirements for cross-border data transfers;
  • appropriate technical and organisational security measures must be implemented;
  • the processor must inform and assist the controller in the event of data subject requests or security incidents;
  • upon completion of the agreed services, personal data must be deleted or anonymised.

In addition to contractual safeguards, controllers should actively monitor whether the agreed technical and organisational measures are being implemented. This can be done, for example, through regular audits, certifications, or other oversight mechanisms to ensure the measures remain effective and appropriate over time.

When working with processors based outside Switzerland, it is also essential to comply with the FADP's rules on cross-border data transfers. These requirements will be covered in part 11 of our series.

Preview on Part 9

In part 9 of our series, we will examine whether consent is necessary for electronic direct marketing and what exceptions may apply.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Daniela Fabian
Daniela Fabian
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More