Data Protection – Who’s at the Helm?
In our digital world, where personal data must be handled like a precious treasure, it is essential to clearly understand the roles in data protection. As a company, with every processing of personal data, the key question arises: Am I acting as the data controller or as the data processor? How can these crucial data protection roles be identified, and why does this distinction matter so much in practice?
The data controller, as defined by data protection law, is the entity that determines the purposes and means of processing personal data. The data processor, on the other hand, processes this data solely on behalf of and in accordance with the instructions of the data controller.
Data controller or data processor: a maritime analogy
To better understand these roles, it is helpful to use an analogy from the maritime world. The captain determines the route and rules, and is responsible for the voyage and safety onboard. The crew carries out the captain’s instructions, steers the ship, and handles organizational and technical tasks, but does not generally have broad decision-making authority. In practice, this means: As the controller, you determine how and why personal data is processed, whether for marketing, HR management, or customer service purposes. The processor ensures implementation within the agreed-upon contractual framework.
The order processing agreement: The contractual compass needle
UMB AG typically acts as an IT service provider on behalf of its clients and thus as a data processor[i]. This is where the Data Processing Agreement (DPA) comes into play. It serves as the indispensable contractual foundation for data protection. The agreement details the rights and obligations of both parties, specifies the types of personal data being processed and the purpose of such processing, and outlines the security measures in place. Notably, it documents the technical and organizational measures (TOMs) that UMB implements to ensure data integrity, confidentiality, and availability[ii]. Examples of this include access controls, storage controls, and segregation controls. Without such an agreement, companies risk fines and liability issues, as both the DSG and the GDPR require a written agreement.
Responsibility remains on board
As the data controller, you can outsource certain tasks; however, you are still responsible for ensuring compliance with data protection laws. Key legal obligations include establishing a legal basis for data processing, such as consent, contractual obligations, or legal requirements. Legitimate interest may also serve as a legal basis. You must also comply with data subjects’ rights, such as the right to access, rectify, erase, or object to the processing of their data. You must create transparent privacy policies, carefully select and monitor data processors, and promptly report data breaches to supervisory authorities. All of these actions must be in accordance with applicable data protection regulations.
Data processor: The crew in action
The data processor acts solely on the instructions of the data controller and may not use the data for its own purposes. Its core responsibilities include implementing and maintaining security measures such as firewalls, intrusion detection systems, and employee training; ensuring confidentiality by requiring all parties involved to maintain confidentiality; immediately reporting incidents to the controller; and assisting with audits by providing reports or certifications such as ISO 27001.
Stay vigilant!
In practice, there are a few pitfalls to watch out for, such as underestimating the need to address subcontractors in the contract. Any changes must be communicated to the controller to maintain transparency. Another mistake is assuming that outsourcing completely transfers responsibility. Stay vigilant and document everything, because data protection laws require thorough documentation. To maintain control as the data controller, ensure contractually that your data processor processes data only to the agreed extent, immediately provides all relevant information in the event of data breaches, notifies you of changes involving subcontractors, and allows for audits or evidence such as certifications. When outsourcing, always enter into a data processing agreement and incorporate it into your contractual documents.
Stay at the helm - with UMB as your reliable crew
If you determine the course, you are the captain—and thus the controller. Use partners like UMB to securely outsource your IT infrastructure without relinquishing control. Our services are fully compliant with the Swiss Federal Act on Data Protection (FADP / DSG) and the EU General Data Protection Regulation (GDPR / DSGVO). Let’s work together to navigate the waters of data protection safely. Contact us for more information.
This blog post serves exclusively to convey basic knowledge about compliance and regulatory requirements and to demonstrate that UMB takes these aspects into account within the framework of its services. The text is based on the current status as of March 2026.
[i] For internal data processing activities, for example, when processing personnel data or employee data, UMB naturally acts as the controller
Your contacts
