Outsourcing is a strong trend - both in business and in public administration. The focus on core competencies, cross-organizational divisions of labour and growing demands for data processing had led in recent years to a constant increase in outsourcing.

Your company can focus its activities on its core competencies by outsourcing non-core competencies to external service providers. This is not just a company making use of external expertise. It should also ideally result in increased productivity and reduced costs.

In practice, there are numerous and quite diverse forms of outsourcing: Business processing outsourcing, knowledge process outsourcing, outsourcing to affiliate companies and outside companies transformational outsourcing, complete and selective outsourcing, cloud computing, and many others. But all forms of outsourcing have one thing in common: Often, personal data subject to data protection laws are stored and processed.

The Swiss and European data protection laws are, however, friendly to business. They favour the outsourcing of personal data processing. Normally, transfer of personal data to a third party must be required by law or be done only with the consent of the persons concerned. When outsourcing, though, the consent of the persons concerned is not necessary when certain data protection requirements are met.

The Swiss Data Protection Law, for example, says that the processing of personal can by agreement or law be transferred to other companies if it is going to be used in the same way the company would do itself. No legal or contractual confidentiality obligations that prohibit outsourcing are permitted. In addition, the company hiring the outsourcers has to ensure that the outsourcers will ensure data security.
If these conditions are met, outsourcing is usually not a problem. The consent of those whose data is being sent (such as customers or employees) is not required.

Important: The original company has a duty to select with care (cura in eligendo), instruct (cura in instruendo) and monitor (cura in custodiendo) its outsourcing contractor. These responsibilities can not be delegated to the outsourcing contractor and must always be fulfilled by the original company. In practice, however, there is sometimes the misconception that these obligations and responsibility for data protection are fully delegated to the outsourcing contractor. However, this is not so - on the contrary: The company doing the outsourcing must demonstrate that they have carefully selected, instructed, and supervised the outsourcing contractor.

To prove this, the data protection obligations and preventive measures are set forth in a separate outsourcing data protection agreement that complements the basic service contract (e.g. as an attachment or separate contract). In addition, the contractor's employees are required to sign off on a confidentiality agreement that fulfils the requirements for data protection. It provides for the specific use of personal data in the possession of the contracting company by the employees of the outsourcing contractor.

If the data is to be stored overseas, a cross-border data export agreement must also be made. This is designed to ensure that the data protection overseas is equal to that required at home.

We take care of all work on such agreements for our customers to ensure that they are compliant with data storage and protection requirements. On request, we also develop the basic service contract (service level agreement).

We draft agreements for the following particular forms of outsourcing:

  • Application service provider (ASP) as a special form of outsourcing (pseudo-outsourcing)
  • Affiliate company outsourcing
  • Third-party outsourcing
  • Complete outsourcing
  • Selective outsourcing
  • Business processing outsourcing (BPO)
  • Knowledge process outsourcing (KPO)
  • Transformational outsourcing

Schweizer Privacy Law
Hagenholzstrasse 81a
CH-8050 Zürich
Telefon: +41 (0)76 457 70 90