The new federal Act on Data Protection (nFADP) will take effect in Switzerland from 1 September 2023. This update involves changes affecting both companies and individuals. In view of these innovations, we have adapted our legal documents to meet the new provisions.
1. Automatic inclusion of the Data Processing Agreement (DPA) in our General Terms and Conditions (GTC)
One change concerns our Data Processing Agreement (DPA), which is now automatically included in our General Terms and Conditions (GTC). Previously, customers had to sign separate DPA agreements to ensure their data was processed in accordance with legal requirements. With the update of our General Terms and Conditions (GTC), this need no longer applies. This means that the Data Processing Agreement (DPA) now applies to all customers by default. You don't need to do anything. Individual, already existing DPAs, ADVs or AVVs remain valid.
2. Transparency through complete publication of technical and organizational measures (TOM)
Previously, technical and organizational measures (TOMs) taken to ensure data protection were only available upon request. As part of the revDSG, we have decided to take a step towards greater transparency. These measures have now been published in full and can be viewed by everyone. This enables customers, partners and interested parties to have a comprehensive insight into the security measures we have taken to adequately protect personal data.
3. Central availability of legal documents
To make it easier to access important information, we have placed all legal documents in one central place on our website. Under https://docs.nine.ch/docs/category/legal-documents you will find a comprehensive collection of documents to help you better understand our privacy practices and policies.
4. New obligations and cooperation in the event of breaches of data protection
The nFADP also introduces new provisions that oblige companies and data processors to strengthen cooperation and transparency in the event of breaches of data protection. In the case of a personal data breach pertaining to data which is processed by the Data Processor, the Data Processor notifies the Data Controller without delay, and no later than 48 hours after becoming aware of the breach In the event of a breach of data protection, data processors must assist the controller in carrying out a data protection impact assessment. This cooperation shall serve to take appropriate measures to reduce damage.
The introduction and publication of the contractual documents marks a significant step towards increased transparency, accountability and cooperation in the field of data protection.