All Countries
Compliance
Commissioned Data Processing Agreement

Commissioned Data Processing Agreement Template for Switzerland

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Commissioned Data Processing Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Commissioned Data Processing Agreement

"I need a Commissioned Data Processing Agreement under Swiss law for our healthcare software company to process patient data on behalf of multiple Swiss medical clinics, with specific provisions for handling sensitive health data and compliance with healthcare regulations, to be implemented by March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Commissioned Data Processing Agreement is a critical legal instrument required under Swiss data protection law when one organization (the processor) processes personal data on behalf of another organization (the controller). This agreement is mandatory under the Federal Act on Data Protection (FADP/DSG) whenever external data processing occurs. It serves to establish clear responsibilities, obligations, and security requirements for both parties, ensuring compliance with Swiss data protection regulations. The document becomes particularly important in contexts involving sensitive data, cross-border transfers, or complex processing operations. It must reflect the requirements of the revised FADP/DSG that came into force in 2023, while potentially accommodating GDPR requirements for organizations dealing with EU data subjects.
Suggested Sections

1. Parties: Identification of the data controller (principal) and data processor (contractor), including full legal names, addresses, and registration details

2. Background: Context of the agreement, relationship between parties, and purpose of the data processing arrangement

3. Definitions: Key terms used in the agreement, aligned with FADP/DSG terminology

4. Subject Matter and Duration: Scope of processing activities and duration of the agreement

5. Nature and Purpose of Processing: Detailed description of the processing activities and their intended purposes

6. Type of Personal Data and Categories of Data Subjects: Specification of personal data types to be processed and categories of individuals whose data will be processed

7. Obligations and Rights of the Controller: Controller's responsibilities, including instructions for processing and audit rights

8. Processor Obligations: Core obligations of the processor including processing only on documented instructions, confidentiality, security measures

9. Technical and Organizational Measures: Security measures to be implemented by the processor to ensure appropriate data protection

10. Data Subject Rights: Procedures for handling data subject requests and processor's assistance obligations

11. Data Breach Notification: Procedures and timeframes for reporting personal data breaches

12. Audit Rights and Cooperation: Controller's audit rights and processor's cooperation obligations

13. Liability and Indemnities: Allocation of liability and indemnification provisions

14. Term and Termination: Duration of agreement, termination conditions, and obligations post-termination

15. Governing Law and Jurisdiction: Specification of Swiss law as governing law and jurisdiction for disputes

Optional Sections

1. International Data Transfers: Required when personal data will be transferred outside Switzerland, including safeguards and transfer mechanisms

2. Sub-processing: Include when the processor may engage sub-processors, including authorization process and obligations

3. Industry-Specific Requirements: Additional provisions for specific industries (e.g., healthcare, financial services)

4. Insurance Requirements: Specific insurance obligations for the processor, if required

5. Business Continuity and Disaster Recovery: Additional provisions for ensuring service continuity and data recovery

6. Joint Controllers: Required when multiple controllers are involved in determining processing purposes

7. Data Protection Impact Assessment: Cooperation requirements for DPIAs when processing likely results in high risks

Suggested Schedules

1. Schedule 1 - Processing Activities: Detailed description of all processing activities, including purposes, data types, and processing operations

2. Schedule 2 - Technical and Organizational Measures: Detailed specification of security measures, including access controls, encryption, monitoring

3. Schedule 3 - Approved Sub-processors: List of approved sub-processors, their roles, and locations (if sub-processing is allowed)

4. Schedule 4 - Transfer Mechanisms: Details of transfer mechanisms and safeguards for international data transfers

5. Schedule 5 - Service Levels: Performance metrics and service levels for processing activities

6. Appendix A - Contact Details: Contact information for key personnel, including data protection officers and emergency contacts

7. Appendix B - Data Breach Response Plan: Detailed procedures for handling and reporting data breaches

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Law
Authorized Personnel
Authorized Sub-processor
Business Day
Confidential Information
Controller
Data Breach
Data Protection Laws
Data Subject
Data Subject Rights
FADP
GDPR
Personal Data
Personal Data Breach
Processing
Processor
Processing Instructions
Sensitive Personal Data
Services
Sub-processor
Swiss Data Protection Act
Swiss Data Protection Authority
Technical and Organizational Measures
Term
Third Country
Third Party
Transfer Mechanism
Controller Personal Data
Data Protection Impact Assessment
Supervisory Authority
International Transfer
Security Breach
Standard Contractual Clauses
Processing Records
Data Protection Officer
Approved Purpose
Special Categories of Data
Cross-border Processing
Data Minimization
Data Protection Requirements
Data Processing Services
Clauses
Interpretations
Definitions
Scope of Processing
Duration
Processing Obligations
Security Measures
Confidentiality
Sub-processing
Data Subject Rights
Data Protection Impact Assessment
Cross-border Transfers
Audit Rights
Data Breach Notification
Liability
Indemnification
Insurance
Force Majeure
Termination
Data Return and Deletion
Assignment
Notices
Amendments
Severability
Entire Agreement
Governing Law
Jurisdiction
Regulatory Compliance
Personnel Obligations
Documentation
Reporting
Service Levels
Warranties
Intellectual Property
Business Continuity
Dispute Resolution
Relevant Industries

Technology and Software

Healthcare and Medical Services

Financial Services

Insurance

E-commerce and Retail

Manufacturing

Professional Services

Education

Telecommunications

Real Estate

Construction

Transportation and Logistics

Energy and Utilities

Media and Entertainment

Research and Development

Relevant Teams

Legal

Compliance

Information Security

IT

Operations

Risk Management

Procurement

Data Protection

Information Governance

Privacy

Vendor Management

Contract Administration

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Legal Counsel

Compliance Manager

Information Security Manager

IT Director

Chief Technology Officer

Risk Manager

Operations Manager

Procurement Manager

Contract Manager

Chief Information Security Officer

Privacy Manager

General Counsel

Chief Operating Officer

Data Protection Specialist

Information Governance Manager

Industries
Federal Act on Data Protection (FADP/DSG) 2023: The primary Swiss data protection law that governs the processing of personal data by private persons and federal bodies. It includes specific requirements for commissioned data processing.
Swiss Code of Obligations (OR): Contains the fundamental principles of Swiss contract law, including provisions on service agreements and contractual obligations that form the basis of the processing agreement.
EU General Data Protection Regulation (GDPR): While not directly applicable in Switzerland, it's relevant for cross-border data transfers and ensuring compliance when processing data of EU residents or when Swiss companies act as processors for EU controllers.
Swiss Federal Ordinance to the Federal Act on Data Protection (FODP): Implementing ordinance that provides detailed requirements for data processing, including specific security measures and documentation requirements.
Swiss Federal Act on International Private Law (IPRG): Relevant for determining applicable law and jurisdiction in cases involving international data transfers or foreign contracting parties.
Swiss Criminal Code: Contains provisions on professional secrecy and confidentiality obligations that might be relevant for data processing activities.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Joint Controller Data Processing Agreement

A Swiss law-governed agreement between joint controllers defining their respective responsibilities and obligations in joint personal data processing activities.

find out more

DPA Data Privacy Agreement

Swiss law-governed Data Processing Agreement defining terms for personal data processing between controller and processor, ensuring FADP compliance with GDPR considerations.

find out more

Data Controller DPA

Swiss law-governed Data Processing Agreement defining terms for handling personal data between controller and processor, compliant with Swiss FADP and relevant international standards.

find out more

Commissioned Data Processing Agreement

A Swiss law-governed agreement establishing terms for commissioned processing of personal data, ensuring compliance with FADP/DSG requirements.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.