Foto von Proxyclick Visitor Management System auf Unsplash

ICT Outsourcing

ICT Outsourcing

As a company, it is worth recognizing which tasks should be handled in-house and where the company is better off concentrating on its core business in order to increase efficiency and reduce costs. Particularly in IT, it makes sense to consider bringing in an external service provider, if not only then also for information security reasons. And while companies and service providers like to focus on performance, both would do well to be able to answer the fundamental questions of data protection.

Outsourcing from a data protection perspective

Cloud providers, web hosts, agencies and call centres or IT support companies take on tasks in companies that also entail access to or the processing of personal data held by the company. According to the Federal Act on Data Protection (FADP), the processing of personal data can be transferred to a so-called processor. In this case, the company, as the so-called controller, remains responsible for ensuring that data protection is complied with. The company must ensure careful selection, appropriate instruction and necessary monitoring. The service provider has a reciprocal interest in delineating the duties transferred and clarifying which services are to be remunerated and how.

DPA – Data Privacy Agreement

In practice, the agreement on data processing (or order processing according to GDPR) has become established, often abbreviated as DPA. Instead of a separate DPA, data protection can also be regulated as an annex to the contract, as is common in the Anglo-American region with the so-called Data Privacy Addendum, or (also) DPA for short. More important than where, is that the responsibilities and obligations are regulated in accordance with the DPA or GDPR. Similar pitfalls present themselves time and again.

Important to regulate

The basic principle of both the FADP and the GDPR is to ensure that the processor only processes the transferred data in accordance with the instructions of the client. Suitable technical and organisational measures must be taken to ensure that the rights of the data subject are protected. Accordingly, in addition to the basic scope of the order, and thus the data processing, data security in particular must be determined. On the one hand, this should be appropriate to the risk and effective, and on the other hand, it must correspond to the state of the art. Depending on the sector, audits, pen tests and certifications may also be used for this purpose. 

In principle, the processor processes personal data for controller’s purposes, i.e. the company’s. As a service provider, processors therefore are not permitted to process this personal data for their own purposes – otherwise they would become controllers themselves (sometimes also referred to as a “joint controller”). For such a change of purpose, a processor must be able to assert its own justification, primarily the express consent of the data subject.

Pitfalls in DPA

The issue of subcontracting, i.e. the use of so-called subcontractors, is often forgotten or overlooked. These must be disclosed before the contract is concluded and must only be used after the contract has been concluded with the prior authorization of the company, i.e. the controller. In addition, when outsourcing abroad, there are also considerations regarding the disclosure of personal data abroad and data security in general (see also below on outsourcing with a US context).

As mentioned above, the company remains responsible as the controller. To this end, it may make sense to regulate support obligations with contractual agreements (e.g. obligations to cooperate) and/or to take specific organizational measures. This primarily concerns the rights of data subjects (information, rectification, erasure), but also instruments and obligations under the law (data protection violations, data protection impact assessments, etc.).

It is not uncommon for regulations on responsibility and liability as well as the resulting costs to be missing – or they are unilaterally transferred. It seems sensible to adapt liability to the dynamics of the service relationship, in particular how independently the service provider acts for the company. The costs in particular should be made transparent and are probably best orientated towards the polluter-pays principle. 

Outsourcing in a US context

If data is disclosed abroad during outsourcing, it must also be checked whether the countries in which the data is processed have an adequate level of data protection. This is primarily based on the decision of the Federal Council, i.e. the list of countries with an adequate level of data protection in accordance with the Swiss Data Protection Ordinance (DPO). If the service provider is located in a country that does not offer a level of data protection comparable to that in Switzerland, or if the data is processed in countries that do not offer an adequate level of protection compared to Switzerland, additional measures must be taken. Standard data protection clauses (also known as “Standard Contractual Clauses” SCC) are the first thing to consider.

The USA is therefore a special case. With the invalidation of the EU-US Privacy Shield – and subsequently the Swiss-US Privacy Shield – as a result of the Schrems II ruling by the European Court of Justice in July 2020, the processing of confidential data by a US provider in compliance with data protection regulations has become more complex. In the meantime, SCC was used as a workaround – without legal certainty as to whether this would be sufficient. Now the new Swiss-U.S. Data Privacy Framework for certified U.S. companies offers adequate protection for personal data. To this extent, the Federal Council has now put the USA back on the list of countries with an adequate level of data protection and will in future allow the transfer of personal data from Switzerland to certified companies in the USA without additional guarantees. The Federal Council has brought the corresponding amendment to the DPO into force on September 15, 2024.

 

Obergrundstrasse 70
CH-6003 Luzern

Bahnhofplatz
CH-6300 Zug

Contact us directly

Obergrundstrasse 70
CH-6003 Luzern

Bahnhofplatz
CH-6300 Zug