Published: Last updated:

Note: This document is a template. All entries in square brackets […] must be replaced with actual project and client data before use. The contents should be reviewed and adapted to the specific engagement. Legal review is recommended.

Data Processing Agreement (DPA)

between

[Client] [Company/Organisation] [Client Address] (hereinafter "Controller")

and

le dot E-Solution Stanic, Mirko Stanic Birmensdorferstrasse 240, 8003 Zürich UID: CHE-130.745.803 E-Mail: mail@le-dot.com (hereinafter "Processor")

(collectively "the Parties")

Art. 1 — Subject Matter and Duration

1.1 This Data Processing Agreement (DPA) governs the rights and obligations of the Parties in connection with the processing of personal data by the Processor on behalf of the Controller.

1.2 This DPA is an integral part of the main contract dated [Date] (hereinafter "Main Contract") and applies for its entire duration.

1.3 The legal basis is Art. 9 of the Swiss Federal Act on Data Protection (DSG) and the Ordinance on Data Protection (VDSG).

Art. 2 — Nature and Purpose of Processing

2.1 The Processor processes personal data exclusively within the scope and for the purpose of the services agreed in the Main Contract, in particular:

  • [Description, e.g. hosting and operation of web applications]
  • [e.g. IT support and troubleshooting]
  • [e.g. software development and testing]

2.2 The types of processing include: collection, storage, modification, retrieval, transmission, deletion.

Art. 3 — Categories of Data Subjects

3.1 The processing relates to personal data of the following categories of data subjects:

  • [e.g. employees of the Controller]
  • [e.g. customers of the Controller]
  • [e.g. visitors to the Controller's website]

Art. 4 — Categories of Personal Data

4.1 The following categories of personal data are processed:

  • [e.g. contact data (name, email, telephone)]
  • [e.g. usage data (IP address, access times)]
  • [e.g. contractual data (orders, invoices)]

4.2 Sensitive personal data within the meaning of DSG Art. 5 lit. c shall only be processed if expressly provided for in the Main Contract.

Art. 5 — Obligations of the Controller

5.1 The Controller is responsible for the lawfulness of the data processing (DSG Art. 6).

5.2 The Controller shall issue instructions to the Processor regarding the nature, scope and method of data processing.

5.3 The Controller shall inform the Processor without delay if errors or irregularities in connection with the processing of personal data are identified.

Art. 6 — Obligations of the Processor

6.1 The Processor shall process personal data exclusively in accordance with the instructions of the Controller (DSG Art. 9 Abs. 1).

6.2 The Processor shall ensure that persons authorised to process personal data are bound by confidentiality obligations.

6.3 The Processor shall support the Controller, to a reasonable extent, with:

  • a) responding to data subject access requests (DSG Art. 25–27);
  • b) ensuring data security (DSG Art. 8);
  • c) reporting data protection breaches (DSG Art. 24);
  • d) conducting data protection impact assessments.

6.4 The Processor shall inform the Controller if, in the Processor's view, an instruction violates data protection regulations.

Art. 7 — Technical and Organisational Measures (TOMs)

7.1 The Processor shall take appropriate technical and organisational measures to protect personal data in accordance with DSG Art. 8 and VDSG Art. 1–4, in particular:

Confidentiality:

  • a) Access control: access to personal data is restricted to authorised persons;
  • b) Authentication: multi-factor authentication for system access;
  • c) Encryption: transport and storage encryption in accordance with the current state of the art.

Integrity:

  • d) Input control: logging of who entered, modified or deleted personal data;
  • e) Transfer control: secure transmission channels for personal data.

Availability:

  • f) Backup: regular data backups with a documented recovery procedure;
  • g) Recovery: ability to restore data promptly in the event of technical incidents.

Traceability:

  • h) Logging: logging of access and processing activities in accordance with VDSG Art. 4.

7.2 The measures are reviewed regularly and adapted to the current state of the art. The current description of the TOMs is attached as Annex C.

Art. 8 — Sub-Processors

8.1 The Processor may only engage sub-processors with the prior written consent of the Controller (DSG Art. 9 Abs. 3).

8.2 The sub-processors approved at the time of contract conclusion are listed in Annex D.

8.3 The Processor shall inform the Controller in good time of any intended changes. The Controller may raise an objection within 30 days.

8.4 The Processor shall contractually ensure that sub-processors comply with equivalent data protection obligations.

Art. 9 — Notification of Data Protection Breaches

9.1 The Processor shall notify the Controller of breaches of data security without delay, no later than within 48 hours of becoming aware of the breach (DSG Art. 24 Abs. 1).

9.2 The notification shall contain at minimum:

  • a) a description of the nature of the breach;
  • b) the categories and approximate number of affected data subjects;
  • c) the likely consequences;
  • d) the measures taken or proposed.

9.3 The Processor shall support the Controller in fulfilling the notification obligation towards the FDPIC (EDÖB) and the affected data subjects.

Art. 10 — Deletion and Return

10.1 Upon termination of the Main Contract, the Processor shall delete all personal data or return it to the Controller — at the Controller's discretion.

10.2 Deletion shall be confirmed to the Controller in writing.

10.3 Statutory retention obligations remain reserved. In such cases, the relevant data shall be blocked and deleted upon expiry of the retention period.

Art. 11 — Audit Rights

11.1 The Controller is entitled to verify compliance with the provisions of this DPA, in particular through:

  • a) inspection of relevant documentation and logs;
  • b) on-site audits with reasonable advance notice (at least 10 business days);
  • c) requests for evidence or certifications.

11.2 The Processor shall support the Controller in conducting audits to a reasonable extent.

Art. 12 — Liability

12.1 The liability of the Parties is governed by the provisions of the Main Contract.

12.2 Each Party shall be liable for damages caused by a breach of data protection provisions.

Art. 13 — Final Provisions

13.1 Written form: Amendments and supplements to this DPA require written form and the signatures of both Parties.

13.2 Precedence: In the event of contradictions between this DPA and the Main Contract, the provisions of this DPA shall prevail with regard to data protection.

13.3 Severability clause: Should any provision of this DPA be or become invalid, the validity of the remaining provisions shall not be affected.

13.4 Applicable law: This DPA is governed exclusively by Swiss law.

13.5 Place of jurisdiction: The exclusive place of jurisdiction is Zurich.

Signatures

Controller Processor
Company [Company/Organisation] le dot E-Solution Stanic, Mirko Stanic
Name [Client] Mirko Stanic
Place, Date __ Zürich, [Date]
Signature __ __

Annexes

  • Annex C: Technical and organisational measures (TOMs)
  • Annex D: List of approved sub-processors

Legal References

  • DSG Art. 5 — Definitions (sensitive personal data)
  • DSG Art. 6 — Principles of data processing
  • DSG Art. 8 — Data security
  • DSG Art. 9 — Processing by a data processor
  • DSG Art. 24 — Notification of data security breaches to the FDPIC (EDÖB)
  • DSG Art. 25–27 — Right of access and rights of data subjects
  • VDSG Art. 1–4 — Data security requirements (technical and organisational measures)
  • VDSG Art. 8 — Data processing by a processor