Legal
Swiss FADP Addendum
This Addendum modifies the watchtower Data Processing Agreement ("DPA") and Privacy Policy for transfers, processing, or rights involving Switzerland. It applies to Customers established in Switzerland or whose end users include Swiss data subjects.
The Swiss Federal Act on Data Protection ("FADP") was substantially revised in 2023; this Addendum is shaped to the revised text.
1. Application
This Addendum applies in addition to the DPA. To the extent of any conflict between this Addendum and the DPA, this Addendum controls solely with respect to Swiss matters.
2. References to GDPR
Every reference in the DPA to:
- "GDPR" or "Regulation (EU) 2016/679" shall be read as referring also to the FADP for Swiss matters.
- "Personal data" shall include sensitive personal data as defined under the FADP. Watchtower does not process sensitive personal data by design (Privacy Policy Section 2).
- "Supervisory authority" shall be read as referring also to the Federal Data Protection and Information Commissioner (FDPIC) for Swiss matters.
3. International transfers from Switzerland
For transfers from a Swiss exporter to a watchtower processor:
- Watchtower's principal infrastructure is in Germany (EEA), which is a country recognised by the FDPIC as offering an adequate level of protection. Transfers from Switzerland to Germany do not require additional safeguards.
- Transfers to Sentry, Inc. (US) are governed by the Swiss Standard Contractual Clauses as accepted by the FDPIC for processor-to-processor transfers, equivalent in substance to EU SCC Module 3. Our Transfer Impact Assessment is written to cover Swiss as well as EU transfers.
- The Swiss-US Data Privacy Framework, where applicable to Sentry, provides an alternative basis equivalent to the EU-US DPF.
4. Notification obligations
Under the revised FADP, watchtower is required to notify the FDPIC of a security breach involving high risk to data subjects without delay. This timeline is shorter and the threshold is "high risk" rather than GDPR's "risk." Watchtower's incident-response procedure applies the higher EU-GDPR-style 72-hour threshold by default; for Swiss breaches involving high risk the notification cadence is immediate without waiting for the 72-hour window.
5. Data subject rights
Swiss data subjects have rights substantially equivalent to those under the GDPR. Watchtower's response procedure (Privacy Policy Section 8) applies.
Swiss data subjects may lodge a complaint with the FDPIC (https://www.edoeb.admin.ch).
6. Representative in the EU / Switzerland
Watchtower is established in Sweden (EU). For Swiss matters, no Swiss representative is required where the processing meets the threshold conditions in Article 14 FADP; if the threshold is crossed, a Swiss representative will be appointed.
7. References
This addendum modifies the watchtower base legal pack (Data Processing Agreement, Privacy Policy, sub-processor list).