New Federal Act on Data Protection
What is the nFADP?
The nFADP stands for the New Federal Act on Data Protection, which will come into effect on the 1st of September 2023. The nFADP is the new piece of data protection legislation in Switzerland with aims to bring the country’s current legal framework up to date and on par with other legal acts, such as GDPR.
Once in force, all Swiss and international companies offering goods and services to Swiss citizens processing their personal data will be subject to nFADP. Similar to GDPR, nFADP introduces the extra-territoriality principle for its applicability, meaning it also applies to organizations located outside of Switzerland if they process the personal data of Swiss citizens.
Notably, the nFADP will only apply to the protection of personal data, unlike the old FADP, which also encompassed the protection of an organization’s data. It also shares many similarities with GDPR, as the intention of the lawmakers was to harmonize the Swiss regulatory framework and bring it closer to GDPR. The nFADP however, is less strict compared to GDPR in certain areas, e.g. sanctions, the appointment of a DPO, and requirements for privacy policies.
What rights are afforded to data subjects under the nFADP?
Organizations must provide data subjects with the following rights for their personal data:
1. Right to information;
2. Right to data portability;
3. Right to erasure; and
4. Right to rectification.
Atlassian and the nFADP
Similar to GDPR, the nFADP provides for the roles of a controller and a processor. Atlassian predominantly acts as a processor of personal data we process on behalf of our customers in connection with the provision of our Cloud Products. Please refer to Section 2.2 as well as Exhibit A, Annex 1(B), Part A of the Data Processing Addendum for further information.
Data Subject Rights under the nFADP
Atlassian provides its users and customers information around its data processing practices, purposes, and other relevant data in its privacy policy.
Furthermore, our tools help customers meet obligations under the nFADP as it relates to data subject requests. You can read more about our tools below.
1. To assist customers with the right to delete
- Atlassian organization admins can facilitate the account deletion of their managed users from controls in their admin portal
- Unmanaged end users may also request that their personal data be deleted by initiating an account deletion request from their Atlassian account profile page
- People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for deletion
2. To assist users with the right to access:
- Atlassian organization admins can facilitate access of their managed users' data from Atlassian support
- Unmanaged end users may also request that their personal data be accessed by initiating a data access request from Atlassian support
- People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for access
Choice and consent
We value choice and transparency around how we collect, use, and share information, and provide optionality within different product or account settings. Our Privacy Policy summarizes those choices, how to exercise them, and any relevant limitations.
For more information about end-user data rights, see “Manage your personal data privacy”.
Please note for our Swiss end users, we surface consents for cookies and marketing messages to provide clarity and control at points of collection.
Data Processing Agreements
Atlassian has updated its Customer data processing agreement to comply with the nFADP. It incorporates the Swiss FADP as defined in the agreement. The latest version of the data processing agreement can be found here.
International data transfers
As a company with a global customer base and operations, Atlassian must be able to transfer and access data around the world. We understand and respect the rules for conducting international transfers of personal data outside of Switzerland, and offer customers a robust international data transfer framework as a part of our commitment under Atlassian's Data Processing Addendum (DPA). The DPA ensures that our customers can lawfully transfer personal data to Atlassian Cloud products outside of Switzerland by relying on the Standard Contractual Clauses, considering the relevant modifications under Swiss law.
Similar to GDPR, the Swiss data protection law allows for international data transfers insofar as the requirements of the law are met. According to the Federal Data Protection and Information Commissioner (FDPIC), the new EU Standard Model Clauses can also be used to safeguard international data transfers from Switzerland to countries without an adequate level of data protection, provided that they include the necessary amendments to account for Swiss law.
Whenever we share your data with Atlassian sub-processors, we remain accountable to you for how it is used by any of these organizations. We require all service providers to undergo a thorough diligence process and enter into contracts that ensure our customers' personal data receives adequate protection and safeguards. We will continue to analyze legal requirements in this regard and any others issued by European data protection authorities as they arise. In the meantime, please note that Atlassian:
- offers information relevant to the data transfers in our Data Transfer Impact Assessment
- allows customers to pin in-scope product content at rest to a location. Planned expansions to our data residency program (including data residency for apps and additional locations) are highlighted in Atlassian’s cloud roadmap
- encrypts data in transit and at rest
- publishes an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts
- provides additional information about our policies and procedures for responding to requests for user data in our Guidelines for Law Enforcement
To learn more about our Data Processing Addendum and the Standard Contractual Clauses, see our Privacy FAQs.
For more information on how we process personal data as a controller under the GDPR, see our Privacy Policy.
For news about the latest developments (including around data transfer laws), please visit our Data Pocessing Addendum page.
Other commitments
Below are several other initiatives that have been implemented within our Cloud:
- We have ensured Atlassian staff that access and process Atlassian customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data
- We provide a list of our subprocessors on our Subprocessors page and offer an RSS feed subscription so you can stay up-to-date on any changes
- We have committed to carrying out data impact assessments and consulting with the regulators where appropriate
- We will assist with notifying regulators of security breaches and promptly communicating any breaches to customers and users
- We are committed to honoring our obligations as data importers under the Standard Model Clauses
Our team is here to help
Have more questions about our compliance program?
Do you have cloud certifications? Can you complete my security & risk questionnaire? Where can I download more information?
Trust & security community
Join the Trust & Security group on the Atlassian Community to hear directly from our Security team and share information, tips, and best practices for using Atlassian products in a secure and reliable way.
Atlassian support
Reach out to one of our highly-trained support engineers to get answers to your questions.