DPA and FADP: what your enterprise customer will ask for

The first enterprise customer that takes you seriously will send a data-protection questionnaire before they sign anything. The DPA you attach to your master agreement decides whether that conversation lasts a week or three months. A clean template that covers both the Swiss FADP (in force since 1 September 2023) and the EU GDPR closes it fast.

The contractual anchors are FADP Art. 9 (processor obligations) and GDPR Art. 28 (processor contracts). Both demand a written agreement, both specify the same minimum content, both require sub-processor disclosure. The DPA is the document that satisfies both at once.

What the FADP and GDPR share

Both require a written contract between controller and processor that specifies the subject, purpose, duration and categories of personal data, the duties of the processor, and the technical and organisational measures in place (FADP Art. 8, GDPR Art. 32). Both require notification of breaches without undue delay (FADP Art. 24 to the FDPIC and the data subjects, GDPR Art. 33 to the supervisory authority within seventy-two hours). Both require sub-processor disclosure and a right to audit.

Where the Swiss FADP differs

• Personal data of legal entities is no longer in scope under the revised FADP since 1 September 2023, aligning with the GDPR.
• Cross-border transfers to a country without adequate protection require additional safeguards under FADP Art. 16. The Federal Council maintains the adequacy list (DPV Annex 1); the Swiss SCCs are the EU SCCs with a thin Swiss annex.
• Breach notifications go to the Swiss FDPIC under FADP Art. 24, not to the supervisory authority of the customer's country, when the controller is Swiss.
• The right of access (FADP Art. 25) gives data subjects a free-of-charge response within thirty days, with criminal penalties for the responsible person (up to CHF 250'000 personal fine under FADP Art. 60) if the response is missing or false.
• There is no FADP equivalent to the GDPR's two- or four-percent revenue fines; Swiss sanctions are personal (private individuals fined directly), which changes the risk picture for the founder personally.

If a customer files a FADP access request and we ignore it, who is personally liable?

Under FADP Art. 60 the person responsible for the violation, typically the CEO or the data-protection lead, is fined personally, not the company. The maximum is CHF 250'000 and the fine is criminal, which means it shows up on a personal record. The threshold for prosecution is intentional violation; negligent ignoring of a request is in practice prosecuted when the FDPIC has issued a prior warning. Build a thirty-day access-request workflow and document the response; that alone moves you out of the risk zone.

Sub-processors

List your sub-processors in an annex. Most enterprise customers want a thirty-day prior notice for new additions with a right to object. If they object, you owe a reasonable alternative or a termination right against the affected service. List your hosting provider (AWS, Hetzner, Infomaniak), your monitoring stack (Datadog, Sentry), your email infrastructure (Postmark, Mailgun) and any AI vendor (OpenAI, Anthropic, your fine-tuning service). Do not hide a vendor; an undisclosed sub-processor is the most common reason a renewal fails and is also the most common ground for an FDPIC investigation.

Technical and organisational measures

Attach a one-page TOM annex covering encryption at rest (AES-256, named) and in transit (TLS 1.3, named), access controls (SSO, least privilege, MFA enforced), logging and audit retention (typically twelve months), backup frequency and retention (named numbers, not 'regular'), incident response (named on-call rotation and notification chain), and personnel training (annual, with attestation). Keep it concrete. Customers reject vague descriptions and accept terse, specific ones.

Hosting and residency

Swiss customers in regulated industries will ask where the data sits. If you host in the EU, say so and point to GDPR adequacy via the Federal Council's DPV Annex 1. If you host in Switzerland, say so and point to FADP and the cantonal data-residency expectations of FINMA (Circular 2018/3) and the healthcare regulators. If you use a US provider, attach the EU-US Data Privacy Framework certification (the company name is on the official list, check it before you sign) and the Swiss-US framework parallel. Vague answers extend the negotiation; specific answers close it.

We use OpenAI for an in-product feature. What do I write in the DPA?

List OpenAI as a sub-processor in the annex, name the API endpoint and region (OpenAI's EU data residency, available since 2024, is the relevant pin), declare the data category (typically not special-category data, never personal data of EU citizens used for training under OpenAI's API terms), and attach OpenAI's DPA as a downstream document. If your customer is FINMA-regulated, expect a follow-up question on the legal basis for the transfer; the answer is FADP Art. 16(2)(b) with the Swiss SCCs annexed to the OpenAI DPA. Have this conversation ready before the customer asks.

Do I need to appoint a DPO under the revised FADP?

Not mandatory for most Swiss startups. FADP Art. 10 only obliges federal bodies and private controllers above a threshold to appoint a data-protection adviser; below that, appointment is voluntary but recommended. The voluntary appointment grants procedural privileges (the FDPIC consults the adviser before formal opinions, the controller gets a defence track), and enterprise customers increasingly require a named contact in the DPA annex. Cost: CHF 6'000 to 15'000 per year for a fractional external DPO, less than the price of one full FADP audit.

When the customer sends their own DPA

Large Swiss enterprises (SBB, Swisscom, Migros, the big banks) send their own template. Review it for three traps: (a) joint controllership clauses that try to make you a controller of the customer's data, refuse; (b) liability uncapped for any data event, refuse and propose a separate cap for data breaches at three times annual fees; (c) audit rights with no notice period and no cost cap, propose thirty days notice and one audit per twelve months at the customer's cost unless they find a material breach. These three are the negotiation; everything else usually flows.