On Cloud Legal

Universities are considering working with cloud products. Data protection and small print are giving them pause for thought.

Text: Esther Zysset, published on 01.04.2014

The devil is in the detail – as far as the cloud is concerned, in data protection. This is often seen as the biggest stumbling block in cloud computing. Specifically, anyone who moves personal data into the cloud is still responsible for compliance with the Data Protection Act. The following requirements in particular must be borne in mind:

Data security

Appropriate technical and organisational measures must be in place to protect personal data against unauthorised access and loss, even when data processing is outsourced to third parties. This means that anyone wanting to use the cloud has to find out about the guarantees offered by the cloud provider in terms of data security.


In principle, the Act permits data processing by third parties. However, it imposes two restrictions. Firstly, the outsourcing partner is only allowed to process the data in the same way as the client would be allowed to do so. Secondly, no additional confidentiality requirements must exist that prohibit outsourcing. The client remains responsible for the security of the data being processed.

Disclosure of data abroad

Commercial providers of cloud solutions in particular often have data centres spread across the globe. Clients' data are sent back and forth between them. The Data Protection Act prohibits the disclosure of personal data abroad under certain circumstances, namely when the privacy of those concerned would be "seriously endangered". According to the Act, this is especially the case in the absence of legislation that guarantees adequate protection in the destination country. The Federal Data Protection and Information Commissioner keeps lists of destination countries that are regarded as safe and those that are regarded as unsafe. The United States is only regarded as safe subject to certain conditions (see last paragraph), whereas the European Union countries generally have sufficient legislation in place. Large parts of Asia, Central and South America are regarded as unsafe. When it comes to a legally compliant choice of cloud provider, it is thus essential to know where the client data will be stored. 

To sum up, therefore, we can say that the requirements of the law on data protection must be borne in mind when choosing a cloud provider. In other words, the standard contracts offered by commercial providers must be studied very carefully with regard to the following:

Small print

The small print defines the scope of the services provided. What promises are made? What guarantees does the provider offer, for example, in terms of availability? Attention must also be paid to the following aspects:


Contracts often include broadly worded disclaimers. These are legally permissible to some extent in most cases, but they can prove to be disadvantageous for the client when problems arise.

Applicable law and place of jurisdiction

These provisions are not important for the client if there are no problems with the contract. When difficulties occur, however, they can determine whether or not legal claims are followed up. If the jurisdiction is in the US or Australia, it will often be too complicated and too costly for a Swiss client to assert any claim. If the applicable law and place of jurisdiction are Swiss, on the other hand, there is much less of a legal hurdle for the client.

Exit scenario

What are the provisions on termination? Do they cover returning the data or transferring them to another cloud provider? Does the provider offer any assistance in such cases? Does the provider undertake to delete the client's data after termination of the contract? In conclusion, a critical eye needs to be cast over the terms and conditions. It may be better to store different types of data in different places. By taking this approach, it is possible to implement cloud solutions that comply with Swiss law.

This article appeared in the SWITCH Journal april 2013.
About the author
Esther   Zysset

Esther Zysset

Esther Zysset has been General Counsel at SWITCH since 2012. Prior to that, she was a lawyer at a firm specialising in corporate law.


Important information

Personal data: The Data Protection Act defines personal data as "all information relating to an identified or identifiable person". Data in anonymised form and data that do not relate to a person in any way are thus not covered by the Act.

Data Protection Act: Switzerland has a Federal Act on Data Protection (DPA, SR 235.1), which governs the processing of personal data by private persons and federal bodies, including institutions forming part of the Federal Institutes of Technology. This article refers to the Federal Act. Cantonal institutions are subject to separate cantonal legislation, the requirements of which deviate from the Federal Act in some cases.

Prerequisites for disclosing data to the US: The US company must have signed a special data protection agreement, the US-Swiss Safe Harbour Framework, for its data processing to be qualified as safe.

Other articles