Cloud computing in Switzerland

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

Cloud computing (and anything-as-a-service (XaaS)) continues to be one of the most important trends in the Swiss IT sector. Although most of the cloud solutions are still deployed in-house (besides traditional outsourcing and managed services), software-as-a-service (SaaS), in particular, is becoming more and more important as a procurement model. Cloud computing is now available for most of the areas of application (ie, including, besides SaaS, infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and backend-as-a-service (BaaS)). Private clouds are most commonly used (63 per cent), public clouds and hybrid clouds are on a par with 28 per cent each, although hybrid scenarios continue to gain in popularity as companies are seeking to build an IT services mix based on individual preferences. In this regard, the security of companies’ data and cloud providers’ data centres as well as a high availability of cloud services play an important role.

EveryWare AG acquired 100 per cent of the shares in the Zurich-domiciled iSource AG as of 1 January 2018. Both companies operate as cloud and IT service providers for medium-sized business customers.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

The international cloud providers are Amazon, Google, SAP, IBM and Oracle. Microsoft was expected to provide cloud services as of 2019.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

The leading national cloud providers include myfactory, bexio and ABACUS. Such providers mainly provide SaaS - and, in particular, SaaS enterprise resource planning (ERP) and unified-communication-as-a-service - to private (small and medium-sized) businesses. These providers operate private as well as public or on-premise clouds.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

The software market in Switzerland is undergoing substantial changes due to the rising importance of ‘as-a-service’ offerings. Such services do not only transform the market but also buying patterns. It must, however, be noted that despite SaaS being the fastest-growing segment at the moment, market shares are still limited in relation to on-premises solutions (in particular, software). It appears the latter will remain important for the foreseeable future.

The total market volume of managed private clouds in Switzerland in 2016 was around 440 million Swiss francs and the public cloud market is reported to be around 810 million Swiss francs. In both sectors, SaaS account for significantly more than 50 per cent of the market volume (58.7 per cent private cloud and 81.1 per cent public cloud). The entire market for conventional hardware, software and IT services amounts to more than 27 billion Swiss francs.

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

See, for example, the study ‘ISG Provider Lens Germany 2017 - Cloud Transformation/Operation Services & XaaS’ from ISG/Experton Group, a global market research company, in which ISG/Experton takes a close look at the cloud market in Switzerland (accessible online at: http://research.isg-one.de/research/studien/isg-provider-lens-germany-2017-cloud-transformationoperation-services-xaas/ergebnisse-ch.html?L=0, the study has been conducted and published for the fourth time).

In addition, the eCH Cloud Computing Group (www.egovernment.ch/en/umsetzung/e-government-schweiz-2008-2015/cloud-computing-schweiz/) has been conducting researches and studying the cloud computing sector since the end of 2014 (the respective papers are accessible online at: www.egovernment.ch/de/umsetzung/e-government-schweiz-2008-2015/cloud-computing-schweiz).

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

A strategy on cloud computing has been developed by the Swiss Federal Strategy Unit for Information Technology (FSUIT) together with experts from the Confederation, the cantons, the communes, enterprises affiliated with the Confederation and the private sector, and was adopted by the eGovernment Steering Committee on 25 October 2012. The strategy serves to promote both the responsible use of cloud services and the offering of cloud solutions for authorities at all government levels (the respective paper is accessible online at: www.egovernment.ch/de/umsetzung/e-government-schweiz-2008-2015/cloud-computing-schweiz).

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

No.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

No, Switzerland has not (yet) introduced specific regulations for cloud computing. The applicable laws, ordinances and regulations were usually enacted at a time when cloud computing, its possibilities and risks were unknown. According to the above-mentioned strategy on cloud computing (see question 6), the authorities, in cooperation with associations and interest group, must identify necessary adjustments with regard to the current legislation. However, as of today, no cloud-specific regulation has been proposed by the said parties.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

No, there are no legal provisions in Switzerland that would (directly or indirectly) prohibit, restrict or otherwise govern, cloud computing, onshore or offshore.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Where the customer of a cloud services provider is subject to compliance (eg, national and international stock exchange regulations, obligations in connection with accounting regulations, document retention obligations and audit rights of authorities, etc) or contractual obligations as regards third parties (eg, licence restrictions concerning the use of software and confidentiality obligations), respective obligations must be regulated in the contracts with the cloud services provider which indirectly is obliged to comply with the regulations and obligations. This also applies to compliance with data protection regulations that are imposed on the customers of cloud service providers.

In addition, on 18 March 2016, the Swiss parliament adopted the revised Federal Act on the Surveillance of Mail and Telecommunication Traffic (BÜPF). This act entered into force on 1 March 2018. The revised statute’s objective is to improve criminal investigations if telecommunication services are involved. The revised statute is expected to apply also to cloud services providers since they qualify as providers of derived communication services that permit one-way or multiple-way communication. Providers of email services, of chat rooms, of platforms, such as Facebook, that permit communication as well as providers of platforms where documents can be uploaded (for example, Google Docs) are, for example, deemed providers of derived communication services. It is expected that the statute and the respective duties may not be enforced upon non-Swiss domiciled companies, that is, probably most of the providers of such derived communication services. Providers of derived communication (eg, cloud service providers) are obliged to tolerate surveillance measures and, upon request, permit access to their data processing systems. Furthermore, if available, they must disclose the telecommunication ‘marginal data’. However, the BÜPF does not impose an obligation to store such data during six months on providers of derived communication (as is the case with regard to telecommunication service providers). Moreover, they are under no obligation to identify their customers.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

Unless a conduct is covered by another criminal law provision, non-compliance may result in a fine of up to 100,000 Swiss francs in the following cases:

non-adherence to a request of the surveillance office; and
disclosure of a confidential surveillance ordered by the surveillance office.

In addition, the breach of confidentiality obligations, in particular, of the business secrecy (article 162, the Swiss Criminal Code) and the banking secrecy (article 47, the Banking Act) may be sentenced to imprisonment (not exceeding three years) or a fine.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

The distinction between business-to-business (B2B) and business-to consumer (B2C) transactions is not significant in Switzerland. In particular, no separate body of laws or rules for B2B deals exist but, for B2C contracts, some restrictions apply in regard to consumer protection (see the following paragraph). However, Swiss law does not provide for an equivalent to EU customers’ mandatory withdrawal rights set forth in the Directive 97/7/EC on the protection of consumers in respect of distance contracts (Distance Selling Directive) for online sales.

According to the Swiss Federal Private International Law Act (PILA), for disputes arising out of in connection with consumer contracts, the Swiss courts of the consumer’s domicile or ordinary residence or of the offeror’s (cloud provider’s) domicile or ordinary residence have jurisdiction, at the discretion of the consumer. Such place of jurisdiction is mandatory and cannot be waived in advance. The cloud provider can, however, only take civil action against the consumer at the consumer’s domicile or ordinary residence or the place of performance. Consumer contracts are defined as contracts for goods and services that are for current personal or family consumption and are not connected with the professional or business activity of the consumer.

Furthermore, regarding consumer contracts, the choice of law is excluded, meaning that they are governed by the law of the state of the consumer’s ordinary residence in any of the following instances:

the supplier received the order in that state;
the contract was entered into after an offer or advertisement in that state and the consumer performed the acts required to enter into the contract in his or her state; and
the consumer was induced by the supplier (cloud provider) to go abroad for the purpose of delivering the order.

Entering into business contracts online with a Swiss consumer will, in most cases, fall under the first two groups above. Consequently, the contracts cloud providers enter into with Swiss consumers concluded by electronic means are generally governed by Swiss law.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

There is no sector-specific legislation or regulation that applies to cloud computing transactions in Switzerland. Sector-specific laws, however, indirectly apply to cloud computing transactions. In particular, highly sensitive data such as data on health, data subject to attorney-client confidentiality or bank client data are subject to special legal conditions regarding confidentiality, data protection and data security. When data is collected in clouds, special information and due diligence obligations must be respected depending on the type of data that is collected or processed and the actual locations of the cloud data centres.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

Lacking specific insolvency laws for internet providers (including cloud service providers), the general Swiss insolvency laws apply according to which, with the opening of bankruptcy proceedings, claims that are not for a sum of money are converted into a monetary claim of corresponding value. The bankruptcy administration, however, would have the right in the debtor’s (cloud provider’s) stead to fulfil synallagmatic contracts that had only partly been fulfilled at the time of the opening of the bankruptcy. However, given that the bankruptcy administration is not qualified to provide cloud services, cloud computing contracts are usually terminated if bankruptcy proceedings open. In such cases, a creditor may only request segregation of items (from the bankrupt estate), such as its data, that are the property of the creditor but are in possession of the debtor.

However, according to the prevailing legal doctrine, the Swiss Federal Supreme Court and the practice of the debt enforcement and bankruptcy agencies, such segregation can principally only be claimed for physical objects but not for non-physical ones, such as electronic data. A customer may therefore currently only request segregation if the cloud computing provider is in possession of a separate data carrier that is owned by the customer. For the time being, the customer should therefore be able to continue its operations in the case of the provider’s insolvency (eg, backups, etc).

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

The processing of personal data may only be assigned by an entity to a cloud service provider (B2B) based on an outsourcing agreement, if:

the data is processed only in the manner permitted for the instructing party itself; and
it is not prohibited by a statutory or contractual duty of confidentiality.

In addition, the assigning entity must further ensure, that the cloud service provider guarantees data security. In particular, the personal integrity of the data subject must be protected through adequate technical and organisational measures against unauthorised or accidental destruction, accidental loss, technical faults, forgery, theft or unlawful use, unauthorised alteration, copying, access or other unauthorised processing (see article 7, DPA and article 8 et seq, Swiss Data Protection Ordinance). Additionally, if cloud computing services involve disclosures of personal data abroad, the specific requirements for cross-border data flows must be complied with (see article 6, DPA), which are largely aligned with the ones of the GDPR. Furthermore, despite the assignment of the data processing to cloud service providers, the assigning entity remains under an obligation to provide the information requested by one of its customers. The cloud provider is only obliged to provide information if it does not disclose the identity of the assigning entity, that is, the controller, or if the controller is not domiciled in Switzerland (see article 8, DPA).

A Swiss-domiciled cloud service provider not established in the EU may further fall within the scope of GDPR with respect to EU/EEA resident natural persons:

if it is processing the personal data of such persons; and
if the processing activities are related to the intentional, active offering of goods or services to the EU/EEA resident persons.

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

Cloud computing contracts may comprise various services containing elements of software licence agreements, lease agreements, service level agreements, hardware and software support agreements, data storage agreements and data transmission agreements.

Agreements concerning the provision of IaaS may usually be qualifies as lease agreements or at least as special contracts with substantial lease elements. However, processing ability does not form part of a typical lease contract. It qualifies rather as a mandate agreement (article 397 et seq) or, depending on the specifications of the contract, as a contract for works in accordance with article 363 et seq.

Agreements concerning the provision of PaaS, SaaS or XaaS are usually deemed special contracts if the deployed hardware is used by means of a virtual server. Such special contracts comprise lease and service contract elements, and, depending on the services to be rendered, contract for work elements.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Swiss cloud service providers usually insist that the cloud computing contracts they enter into are governed by Swiss law (under exclusion of the United Nations Convention on Contracts for the International Sale Goods, 11 April 1980, and other international treaties). The same applies with regard to the place of jurisdiction (Switzerland).

Careful attention must be given to dispute resolution mechanisms. Time is often crucial and the customer should ensure that he or she can obtain fast resolution against the cloud service provider if need be.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

The general terms and conditions of Swiss B2B public cloud computing providers typically contain the following terms:

rights to use the software provided by the provider;
use restrictions:

use of the functionalities of the software exclusively according to the specifications and the licensing terms as well as within the scope of the cloud service provided by the provider; and
prohibition to make any changes to the software (eg, by further developing the software);

acceptable use policy:

customer to assume the sole responsibility for the content of the data that is being processed in connection with the use of the cloud services; and
customer to indemnify the provider against any third-party claims resulting from illegal use of the cloud services;

security:

technical, personnel and organisational security measures to be taken by provider; and

requirements concerning standardisation and compatibility of technical systems;
service levels:

if specific parameters relating to the availability of the cloud services have been agreed upon, the B2B public cloud computing contract usually sets out the legal consequences of deviations from the services, which are:

requirements concerning data backup, return, disaster recovery; and
requirements concerning data protection, security and audit rights;

remuneration:

customer may usually choose between different price metrics; and

limitation of liability:

liability usually only for gross negligence and unlawful intent; or
if liability is only for mere negligence then limitation of the amount for which a party may be sued.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Since data that is the object of the cloud computing agreement may include sensitive information (eg, business and trade secrets or patient information), cloud computing agreements must also address the confidential nature of data stored with the cloud service provider and the consequences of a breach of the confidentiality obligation.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

The typical terms in this context are:

service availability;
asssurance of compliance with data protection regulations;
guarantee of data integrity, data security, etc;
implementation of high security standards (encryption, access management, monitoring, telecommunication connections, etc);
backup scenarios;
backup of data;
audit rights to verify compliance with data protection regulations;
correct and necessary labelling for the identification of dedicated (ie, customer owned) IT infrastructure in the event of bankruptcy (unless the customer explicitly states other wishes);
conclusion of insurance solutions for data stock/integrity; and
implementation of regular checks of data security and integrity.

The fact that the cloud service provider can have access to important business data of the customer because the data is located on its infrastructure must be reflected accordingly in the scope and amount of liability. A corresponding service level agreement for business-critical services from the cloud should be part of the cloud computing contract. The same applies to contractual penalties, in particular in the event of breaches of data protection regulations, service-level agreements and confidentiality undertakings.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

The cloud service providers usually grant the customer the licence rights to use the required software applications within the framework of the cloud contract, either for the subscription of IaaS, SaaS or XaaS. However, updates or upgrades, release management and so on are the responsibility of the cloud service provider, since the customer has neither licence and maintenance contracts with the corresponding software suppliers, nor do they have the necessary access rights to perform such work.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

If a Swiss court qualifies a cloud computing agreement or the substantial parts thereof as mandate agreement in accordance with article 394 et seq, the Swiss Code of Obligation, such an agreement may be terminated by either party without cause at any time with immediate effect. This termination right (article 404, the Swiss Code of Obligation) is mandatory and cannot be validly excluded. However, if termination is effected at an improper time, the party terminating is liable to the other party for the damages caused. Outside the scope of article 404, the parties are free to agree on the contract term and termination rights. However, the tendency is that the customers do not want to enter into long-term agreements with cloud service providers so they can have flexibility to swiftly change the provider.

Cloud computing agreements usually contain termination provisions for both ordinary and extraordinary circumstances and include detailed exit and post-termination assistance provisions. Appropriate notice periods allow the parties to transfer the outsourced services to a third-party provider or take them back in-house.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

The parties to a cloud services agreement should consider whether the agreement may result in the transfer of a business unit and, therefore, the automatic transfer of the customer’s employees employed with the business unit to the cloud service provider.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

A cloud computing company established with its domicile (and place of effective management) in Switzerland is generally subject to unlimited Swiss profit and capital tax (applicable rates vary, depending on the canton of domicile) on its full profit or taxable capital, potentially subject to an international tax allocation in the specific case (eg, generally no taxation right for profit derived from a permanent establishment (PE) abroad) and depending on applicable double taxation treaties. A stamp issuance duty is levied on the creation or increase of the nominal value of shares in a Swiss company, on the amount of share capital or share premium exceeding a once exempt amount of 1 million Swiss francs.

A cloud computing company with its domicile abroad may have a PE in Switzerland and hence is subject to Swiss profit/capital tax (applicable rates vary, depending on the location of the PE) if it has a fixed place of business in Switzerland in which all or a part of the business activity of the enterprise is carried out. The tax liability in this case is in principle limited to the profit/capital to be allocated to the PE. There is currently no guidance published by the Swiss tax authorities based on what circumstances a foreign cloud computing service provider may create a PE in Switzerland. A case-by-case assessment is required and obtaining a tax ruling would be recommended.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

Cloud computing services qualify as an electronic supply of services in the sense of the Swiss VAT Act and are taxable at the ordinary rate of currently 7.7 per cent. The determination of the place of supply follows the place-of-receipt principle.

A Swiss company offering such services mandatorily needs to register for Swiss VAT and subsequently charge Swiss VAT on the services in case its annual turnover from taxable services in Switzerland and abroad exceeds 100,000 Swiss francs (below this threshold, a voluntary Swiss VAT registration generally is possible).

Cloud computing services imported into Switzerland are subject to reverse charge at the level of a Swiss VAT-registered recipient (for non-VAT-registered recipients, no reverse charge applies). To the extent a foreign company provides respective services to Swiss non-VAT-registered recipients, the company needs to mandatorily register for Swiss VAT (and subsequently charge VAT on the services) in case its annual turnover from taxable services in Switzerland and abroad exceeds 100,000 Swiss francs.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

None to date.

Update and trends

Key developments of the past year

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

Key developments of the past year27 What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

No update at this time.

The information in this chapter is correct as at October 2018.

Register now for your free, tailored, daily legal newsfeed service.

Cloud computing in Switzerland

Filed under

Popular articles from this firm

Bär & Karrer Advised the Farner Group on the Expansion of its Agency Alliance "Team Farner" with GFD *

Q&A: shareholder activist strategies in Switzerland *

Employer of Record (EOR) - Overview and Legal Pitfalls *

At a glance: tax law enforcement in Switzerland *

In brief: arbitration agreements in Switzerland *

Related practical resources PRO

Related research hubs