The Commissioned Data Processing Agreement is a critical legal instrument required under Swiss data protection law when one organization (the processor) processes personal data on behalf of another organization (the controller). This agreement is mandatory under the Federal Act on Data Protection (FADP/DSG) whenever external data processing occurs. It serves to establish clear responsibilities, obligations, and security requirements for both parties, ensuring compliance with Swiss data protection regulations. The document becomes particularly important in contexts involving sensitive data, cross-border transfers, or complex processing operations. It must reflect the requirements of the revised FADP/DSG that came into force in 2023, while potentially accommodating GDPR requirements for organizations dealing with EU data subjects.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Your data doesn't train Genie's AI
You keep IP ownership聽of your docs
1. Parties: Identification of the data controller (principal) and data processor (contractor), including full legal names, addresses, and registration details
2. Background: Context of the agreement, relationship between parties, and purpose of the data processing arrangement
3. Definitions: Key terms used in the agreement, aligned with FADP/DSG terminology
4. Subject Matter and Duration: Scope of processing activities and duration of the agreement
5. Nature and Purpose of Processing: Detailed description of the processing activities and their intended purposes
6. Type of Personal Data and Categories of Data Subjects: Specification of personal data types to be processed and categories of individuals whose data will be processed
7. Obligations and Rights of the Controller: Controller's responsibilities, including instructions for processing and audit rights
8. Processor Obligations: Core obligations of the processor including processing only on documented instructions, confidentiality, security measures
9. Technical and Organizational Measures: Security measures to be implemented by the processor to ensure appropriate data protection
10. Data Subject Rights: Procedures for handling data subject requests and processor's assistance obligations
11. Data Breach Notification: Procedures and timeframes for reporting personal data breaches
12. Audit Rights and Cooperation: Controller's audit rights and processor's cooperation obligations
13. Liability and Indemnities: Allocation of liability and indemnification provisions
14. Term and Termination: Duration of agreement, termination conditions, and obligations post-termination
15. Governing Law and Jurisdiction: Specification of Swiss law as governing law and jurisdiction for disputes
1. International Data Transfers: Required when personal data will be transferred outside Switzerland, including safeguards and transfer mechanisms
2. Sub-processing: Include when the processor may engage sub-processors, including authorization process and obligations
3. Industry-Specific Requirements: Additional provisions for specific industries (e.g., healthcare, financial services)
4. Insurance Requirements: Specific insurance obligations for the processor, if required
5. Business Continuity and Disaster Recovery: Additional provisions for ensuring service continuity and data recovery
6. Joint Controllers: Required when multiple controllers are involved in determining processing purposes
7. Data Protection Impact Assessment: Cooperation requirements for DPIAs when processing likely results in high risks
1. Schedule 1 - Processing Activities: Detailed description of all processing activities, including purposes, data types, and processing operations
2. Schedule 2 - Technical and Organizational Measures: Detailed specification of security measures, including access controls, encryption, monitoring
3. Schedule 3 - Approved Sub-processors: List of approved sub-processors, their roles, and locations (if sub-processing is allowed)
4. Schedule 4 - Transfer Mechanisms: Details of transfer mechanisms and safeguards for international data transfers
5. Schedule 5 - Service Levels: Performance metrics and service levels for processing activities
6. Appendix A - Contact Details: Contact information for key personnel, including data protection officers and emergency contacts
7. Appendix B - Data Breach Response Plan: Detailed procedures for handling and reporting data breaches
Find the exact document you need
Joint Controller Data Processing Agreement
A Swiss law-governed agreement between joint controllers defining their respective responsibilities and obligations in joint personal data processing activities.
Download
DPA Data Privacy Agreement
Swiss law-governed Data Processing Agreement defining terms for personal data processing between controller and processor, ensuring FADP compliance with GDPR considerations.
Download
Data Controller DPA
Swiss law-governed Data Processing Agreement defining terms for handling personal data between controller and processor, compliant with Swiss FADP and relevant international standards.
Download
Commissioned Data Processing Agreement
A Swiss law-governed agreement establishing terms for commissioned processing of personal data, ensuring compliance with FADP/DSG requirements.
Download
骋别苍颈别鈥檚 Security Promise
Genie is the safest place to draft. Here鈥檚 how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; 骋别苍颈别鈥檚 AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it
.png)