between

all clients / Mandates of Fidinter
(referred to as ‘the client’)

and the order processor

Fidinter Treuhand AG (und/oder) der Fidinter AG
Bellerivestrasse 203
CH-8008 Zürich
Switzerland

Postal address:
P.O. Box
8034 Zürich
Switzerland

(designated as ‘Fidinter’ or ‘order processor’)
(both together referred to as ‘the parties’)

1. Preamble

This agreement (hereinafter referred to as “DPA”) specifies the obligations of the parties regarding the provisions of the New Federal Act on Data Protection (nFADP).

In this regard, it supplements the mandate agreement/contractual relationship and the General Terms and Conditions (hereinafter referred to as ‘GTC’) between Fidinter and the client.

This DPA shall only apply if and to the extent that the following conditions are met:

– The client is either the controller or order processor within the
  scope of the nFADP, and

– The client engages Fidinter under the mandate agreement/collaboration as
  order processor or sub-processor for the processing of personal data covered
  by the scope of the nFADP.

2. Subject and term of the agreement

The order processor may, among other things, provide fiduciary, tax, consulting, auditing and accounting services for the client based on a separate contractual relationship or mandate agreement.

This agreement enables the parties to fulfil their obligations under applicable data protection law (see Fidinter’s Data Protection Policy (DPP)) when the order processor processes personal data on behalf of the client. It specifies the parties’ data protection obligations arising from the mandate agreement described in the separate contract.

The clauses of this agreement apply to all activities related to the separate contractual relationship in which the order processor and its employees or persons commissioned by the order processor come into contact with personal data originating from the client or collected for its customers.

The term of this agreement is based on the term of the separate contractual relationship and Fidinter’s General Terms and Conditions, and can only be terminated with them, either ordinarily or extraordinarily.

3. Type of processing and type of data

The order processor shall have access to personal data on behalf of the client. This includes activities described in the separate mandate agreement.

The activities of the order processor may include the following:

  • Receiving, processing and sending payroll data
  • Preparing and sending payslips
  • Managing employee master data
  • Preparing certificates and notifications for authorities and insurance companies
  • Accessing and processing data at the client’s premises or directly at their customer’s premises

Personal data required to perform these activities:

  • Personal master data
  • Employee master data
  • Communication data
  • Contract master data
  • Salary data
  • Social security and health data
  • Billing and payment data
  • Any other personal data arising from separate contractual relationships

4. Obligations of the order processor

4.1.  The order processor and persons subordinate to him who have access to personal data may only process the data within the scope of the order and the instructions of the client (procure, store, retain, use, modify, disclose, archive, delete or destroy, etc.), unless there is an exceptional case, e.g. investigations by law enforcement authorities. In such a case, the order processor shall notify the client of this legal order, unless the law in question prohibits such notification on grounds of important public interest.

In the case of a change in the persons authorised to issue instructions or a long-term incapacity of the named persons, the successor or representative shall be named to the contractual partner.

If an instruction from the client violates applicable legal regulations, the order processor shall immediately notify the client.

4.2.  The order processor shall use the data provided for processing exclusively for the agreed purpose and not for its own purposes. It shall not make any copies or duplicates of the data without the client’s knowledge unless these are backup copies.

4.3.  The order processor is not authorised to delete or otherwise destroy data processed on behalf of the client without authorisation, except:

  • if the circumstances mentioned in Fidinter’s General Terms and Conditions apply (see section 10.2 of the GTC)
  • there is a legal reason that requires such a measure

4.4.  The processing of data outside the order processor’s company premises, such as in employees’ home offices, is hereby permitted by the client. In cases where data processing takes place in a private residence, appropriate security measures must be contractually ensured.

4.5.  The order processor undertakes to treat all personal data that becomes known to them within the scope of this order data processing agreement as confidential. This obligation shall remain in force even after termination of this agreement. The order processor shall ensure that all persons who have access to the personal data or are entrusted with its processing are informed of the confidentiality obligation and are contractually bound accordingly.

4.6.  The order processor is obliged to report any breaches of data protection or irregularities to the client without delay and to disclose all relevant details of the breach, including the nature of the breach, the personal data affected, the possible consequences and the measures taken or planned to contain the incident and minimise any negative consequences. Any legally required notification (https://databreach.edoeb.admin.ch/report) to the Federal Data Protection and Information Commissioner (hereinafter referred to as ‘FDPIC’) remains the responsibility of the client or, ultimately, the data controller.

4.7.  At the request of the client, the order processor is obliged to correct data if it is incorrect or incomplete. If a data subject asserts their rights, in particular their right to information, disclosure or transfer of data, their right to object, or their right to correction, deletion or destruction of data, directly against the processor, the order processor shall not act independently but shall immediately refer the person to the client and await the client’s instructions.

4.8.  The order processor may only disclose personal data from the contractual relationship to third parties or the data subject after receiving prior instructions or consent from the client.

4.9.  Upon completion of the contractual work, the order processor undertakes to delete or destroy all documents and results of use created within the scope of this contract data processing agreement in accordance with data protection regulations and to return to the client all documents, data and data carriers provided to it within the scope of the separate contractual relationship. Deletion or destruction shall take place unless there is a legal reason to the contrary. It should be noted that the contractor may be legally obliged to retain certain data for a defined period. However, after this period has expired, the data in question shall also be deleted or destroyed in accordance with data protection regulations without prior notice.

4.10. The order processor confirms that they are aware of the relevant data protection regulations and undertakes to comply with them in full.

5. Technical and organisational measures (‘TOM’)

5.1.  The order processor undertakes to take appropriate technical and organisational measures to ensure the security of personal data.

5.2.  The order processor shall take appropriate technical measures to protect personal data against unauthorised access, loss or destruction. This includes the use of firewalls, encryption technologies, access controls, and other appropriate security measures.

5.3.  In addition, the order processor implements appropriate internal organisational measures to ensure that only authorised employees have access to personal data. These measures include training employees in data protection regulations and implementing access restrictions.

5.4.  These technical and organisational measures are regularly reviewed and updated as necessary to comply with current technological standards and applicable data protection regulations.

6. Data processing location

6.1. Data processing takes place exclusively in Switzerland or in a third country that meets the legal requirements for data protection.

6.2. If data is processed abroad or transferred abroad, it is ensured in advance that data protection requirements are met:

  • Outsourcing to a subcontractor in a member state of the European Union (EU) or the European Economic Area (EEA) or in a country that has adequate data protection in accordance with the applicable nFADP is permitted on condition that a contractual agreement is concluded in accordance with the DSG (known as a contract processing agreement).
  • Outsourcing to a subcontractor in a country that does not have adequate data protection is permissible on condition that the contractor and the subcontractor conclude a contractual agreement in accordance with the nFADP (known as a data processing agreement, DPA) and that the specific requirements of the nFADP are met, in particular:
  • because the client ensures adequate data protection by concluding standard data protection clauses with the subcontractor, which have been previously approved, issued or recognised by the EDÖB, and
  • because, where necessary, additional measures have been agreed and implemented to supplement the standard data protection clauses.

7. Subcontracting relationships with subcontractors

7.1.  The order processor shall perform its services itself. The use of subcontractors is generally permitted.

7.2.  Subcontractors shall be carefully selected based on their suitability and reliability. Additional order processors in third countries may only be commissioned if the legal data protection requirements are met.

7.3.  The order processor is obliged to contractually transfer all data protection obligations to the subcontractor in accordance with the contract and to ensure that the subcontractor fully complies with data protection regulations and contractual requirements.

8. Liability

The client is liable to the data subject for compensation for damages or other claims arising in connection with the processing of personal data. Direct recourse to the order processor is only permissible if the order processor has acted with gross negligence or intentionally violated the provisions of this contract. Liability for (gross) negligent breach of obligation is limited to a maximum of three times the fee for the order in question, to the extent permitted by law.

9. Final clauses

9.1.  Should any provision of this agreement be invalid or unenforceable, or should this agreement contain a loophole, this shall not affect the validity and enforceability of the remaining provisions of the agreement. The invalid or unenforceable provision or gap shall be replaced by a valid and enforceable provision that, in the opinion of the parties, most closely approximates the economic purpose of the invalid or unenforceable provision.

9.2.  This agreement is governed exclusively by Swiss law, excluding conflict of law’s provisions. The place of jurisdiction is the registered office of Fidinter (currently) Zurich.

9.3.  Notwithstanding any written form requirements in the mandate agreement, this DPA may also be agreed between the parties by electronic means.

9.4. The obligations arising from this DPA apply in addition to the obligations set out in the mandate agreement and Fidinter’s GTC and do not restrict the last two points.

9.5.  In all other respects, the provisions of the GTC, any supplementary mandate agreements and the Data Protection Policy (DPP) shall apply. In the event of any contradictions between this agreement and the GTC or any supplementary mandate agreements, the provisions of the supplementary mandate agreements shall take precedence, followed by those of the GTC.

Last change: January 2026

Download DPA