Selected Aspects of the new FADP
Data protection and data security are pivotal when it comes to safeguarding the confidence and rights of people, known as "data subjects", whose data are being processed. The revised Federal Act on Data Protection means that awareness of this topic has once again come to the forefront, which is also reflected here at cloudscale.ch, where we receive frequent questions about it. In the following, we would like to look at some of the key points and explain how we deal with them, in particular also in terms of the data processing agreement that we make available to our customers.
The new Swiss FADP
According to the Swiss Federal Council, transparency, monitoring options and awareness of responsibility associated with the processing of personal data were three of the goals of the revised Federal Act on Data Protection (FADP). A further aim was to align the Swiss FADP more closely with the EU General Data Protection Regulation (GDPR) to ensure continued certification by the European Commission of an adequate level of protection in Switzerland.
Even though the old FADP contained similar regulations, many data protection provisions of recent years were mainly familiar from the GDPR. The revised FADP means that Swiss data protection has now also become a topical issue. This is probably not least due to the new threat of fines of up to CHF 250,000 for non-compliant decision-makers. In the following, however, we do not want to focus on the fines, but on the two main constellations relating to day-to-day data protection and on the question of how cloudscale.ch is involved.
Data subjects and controllers
The new FADP protects natural persons (i.e. individuals, rather than legal persons such as companies or associations) when their data are processed. These data subjects do not need to be known by name: if the subjects can be identified using the data, the data are considered as personal data. A company processing personal data of this kind, thereby determining the purposes for which and the means by which the data are processed, is the "controller". In the context of e.g. an online shop, the owner of the shop is the controller who processes, among other things, the contact details and orders of customers (data subjects).
Controllers often not only process personal data themselves, but also involve service providers. In the online shop mentioned as an example above, a credit check could be obtained before orders are shipped to a customer on account. The shop owner is also the controller for this step and remains wholly responsible for data processing. Here, the credit agency is a "processor" because it processes data on behalf of the controller. This kind of data processing is basically permissible, but needs to be regulated in a contract concluded between controller and processor.
As a cloud provider, we here at cloudscale.ch become a processor as soon as our customers use our services to process personal data, e.g. when the afore-mentioned online shop is run on our infrastructure. This is why we already offer the required contract for data processing, the data processing agreement (DPA), which can be concluded with just two clicks of the mouse directly in our cloud control panel.
As opposed to the GDPR with its detailed regulations, even the revised version of the Swiss FADP gives barely any instructions on the content of the DPA. We nonetheless made the most of the opportunity and reviewed our DPA, with the revisions coming into effect on 2023-09-01. While there were almost no essential changes, we revised the structure and a lot of the wording to improve clarity and make things easier to understand, e.g. in the following places:
- The document (in German) is now called "Vertrag zur Auftragsverarbeitung" or "AV-Vertrag" (AVV), which are more common terms nowadays than the previous name.
- We no longer specifically mention GDPR, but simply use "applicable data protection legislation". This clearly refers to the fact that other regulations may also apply, e.g. the Swiss Federal Act on Data Processing (FADP).
- We have continued to use the terms "verarbeiten" and "personenbezogene Daten", as is common in the context of GDPR, whereas the Swiss FADP uses different German synonyms. The consistent choice of wording aims to make it easier to read while it in no way opposes the interpretation of the DPA according to Swiss law.
- We now specify "documented instructions" (a GDPR term). The aim here is to clearly state that the customer, or possibly a third party, independently and directly (and not via correspondence with us) determines how our IaaS services are used and thus how data are processed.
- Previously we referred to other documents for technical and organizational measures (TOMs). On our website, in particular, we provided regular reports on improvements to our security features. Now, a set of TOMs has been explicitly summarized in an Annex to the DPA. NB: the TOMs described represent a point-in-time snapshot. While the level of protection described is binding and may not be undercut, we have the option in future to change and further develop the measures actually taken. The customer will have to assess whether this level is suitable for specifically planned processing. Here at cloudscale.ch, we provide standardized services without getting involved in individual cases.
- In addition to the TOMs that we take on our end, we also have a list of security-relevant features relating to our services, which our customers can use for themselves to support the security of data and their processing.
- The provision regarding deletion of data at the end of the contract has been specified in more detail, in particular in terms of reference to the fact that customers can move their data to a new location independently.
Data protection and data security have always been key for us here at cloudscale.ch. In this process, we not only handle personal data responsibly, but also support our customers as they adhere to the relevant specifications, e.g. by means of the DPA that they can conclude directly in our cloud control panel.
Committed to data protection,
Your cloudscale.ch team