16 August 2023

Data protection clauses and data regulations in contracts and GTCs

  • Articles
  • Legal
  • Data / Technology / IP

Innovative technologies are reshaping contracts: risk allocation and revised stand-ard contracts and terms and conditions are essential to cope with the changing data landscape.

Have you adapted your contracts and general terms and conditions (GTCs) to the rapid digital and legal developments? In a digitally driven economy and in view of the entry into force of the new Data Protection Act (FADP) on September 1, 2023, contractual provisions governing the handling of data, data protection and cyber risks are a must.

Below is a short list / checklist of standard regulation points that should be included in almost every (permanent) contract in our practice today.

1.            Personal data protection

Roles/Responsibilities: If personal data are processed in the context of a contractual relationship (which is almost always the case), it must be contractually defined which party assumes which data protection role (controller, processor, joint controller, etc.) and is responsible for the corresponding obligations and processes (transparency, obligation to provide information, deletion, etc.). Depending on the constellation, the contract must be supplemented by a contract data processing agreement (annex) within the meaning of Art. 9 FADP or Art. 28 para. 3 GDPR. It is also recommended to regulate who is responsible for the accuracy of the collected personal data.

Subcontractors: It must also be regulated whether and, if so, how subcontractors may be used. Legal regulations must be observed in this regard.

Cross-border transfers: The cross-border transfer of personal data must also be contractually regulated, as there are strict rules in this regard in the FADP. The transfer of data to countries outside the EU is particularly sensitive. The question of lawful access risk also arises.

Privacy Policy: Standard contracts and GTC should be brought into line with the privacy policy. In many cases, the GTCs refer to the company's current privacy policy.

Obtaining consent: When processing particularly sensitive personal data, it should be noted that such data can often only be processed - and thus also disclosed - with the explicit consent of the data subject (Art. 6 para. 7 let. a FADP). Particularly sensitive personal data includes, for example, religious and political views or data about health (cf. Art. 5 let. c FADP). The relevant contracts should therefore specify who is responsible for obtaining consent.

Compliance: This includes determining which jurisdictions apply and defining cooperation obligations in the event of requests from the authorities.

2.            Data Security and Cyber Security

Cyber risks are among the top risks (high probability of occurrence; high damage potential). Therefore, the topic of data security (obligations to protect data and infrastructure; risk allocation) should be contractually regulated.

Level of data protection and TOMs: It is recommended that the implementation of an appropriate level of data protection, protection goals and general (for sensitive data also concrete) technical and organizational measures (TOMs) be regulated in the contract as an obligation. For the level of data protection, (industry-specific) standards, guidelines, frameworks and certifications play an important role in contractual practice (e.g. ISO/IEC 27000 series, NIST 800 series; PCI DSS, NIST Cybersecurity Framework; ICT Minimum standard). Art. 3 Ordinance of the Data Protection Act (DPO can serve as an orientation for the protection goals. Depending on the sensitivity of the data, specific TOMs should be agreed. For example: 2-factor authentications, offline backups, details on encryption (e.g., cipher), data structure, redundancy, update policy, response times or even controls should be contractually regulated. Depending on the constellation, the contracting parties can also use standards here. The regulations are also of great importance for the question of liability in the event of a cyber attack.

Information, Documentation and Reporting Obligations: These obligations of the provider create transparency for the customer and are particularly relevant in a crisis or for companies with reporting obligations (e.g. FINMA-regulated companies, operators of critical infrastructures).

Duties in case of Cyber Attacks: This is about regulating what the provider must do in the event of a cyber incident (specific information obligations, assessment of the impact on the client, cooperation in investigations, adaptation of TOMs, documentation, etc.).

Liability in the event of Cyber Attacks: It is advisable to regulate liability in the event of cyber attacks by third parties. An appropriate solution must be found here as to which party is (jointly) liable, to what extent and under what circumstances in the event of a cyber attack and for a data breach. There is no absolute security.

Insurance: For large projects or significant outsourcing, it is advisable to obtain a confirmation of cyber risk insurance (How to insure cyber risks? (mme.ch)) or business interruption insurance from the provider.

3.            Ownership of Data, Use of Data, Access to Data, Data License

It is controversial whether of data (all types of data, i.e. also data about legal entities, machine data, production data, etc.) can be owned under civil law (i.e. under property law) is disputed. Be that as it may, it is possible under contract law for the parties to regulate intra partes ownership of the data.

If the data remain with the transferring party despite the transfer to the other party, it must be regulated whether and to what extent and for what purposes the receiving party (or third parties) may use or access the data (e.g. prohibition of evaluation for own purposes, prohibition of transfer to third parties, regulation regarding deletion; right of access, technical security during access; consent to the transfer of data via a public network infrastructure (Internet), confidentiality obligations, accessibility for users, data access for third parties,, data quality, use for AI, consideration, protection of know-how, etc.).

Depending on the constellation, various legal regulations must be observed (Publicity Act; EU Data Act, EU Free Flow of Data Regulation, etc.).

4.            Intellectual property and Software Licenses

If software components are included in products or the subject matter of the contract, the intellectual property rights should be clarified and the corresponding rights of use or license of the users secured and limited. In addition, the obligations for the maintenance of the software and the associated updates shall be regulated.Force majeure and disclaimers

Force majeure clauses and the disclaimers should be adapted to the new risks, such as power failures, power outages, power shortages, energy rationing, pandemics, epidemics, transmission errors, technical failures or interruptions, misuse/disruption of the Internet, web sites, linked web sites, network, IT infrastructure or telecommunication network, as well as data misuse by third parties or data loss.

5.            Termination actions

In the case of open-ended contracts, it is necessary to consider in each case exactly what the termination scenarios are, which exit management measures are to be taken (e.g., obligations to hand over data, transfer of data in a standardized, common format; deletion of data; etc.).


Additional articles on the topic: