We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
SWISS LAW AND TAX
Services
Intellectual Property
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Meet our team
Our knowledge, expertise & publications
View all
Events
Blog
Careers
Categories: Data & Privacy, Digital Business Law Bites, Blog
Numerous Swiss companies as well as public organizations rely on Microsoft's cloud services. In addition to the basic contract, the Microsoft Customer Agreement (MCA), the "Amendment for Switzerland regarding Microsoft Products and Services Data Protection Addendum" and, in the case of official or professional secrecy, the "Professional Secrecy and Official Secrecy - Industry-Specific Terms (Switzerland)" addendum must be agreed for the purposes of Swiss data protection. Depending on the case, further addenda may be added, such as for regulated financial institutions or the so-called In-Geo-Processing. For more information on the use of M365 in the area of professional secrecy, see here (in German only).
These first two additions are partly the result of negotiations that we conducted for Swiss banks and public institutions a few years ago. Microsoft subsequently standardized the contractual provisions and now offers them to all business customers, including SMEs. This is a welcome development.
What is less pleasing is that Microsoft has not yet managed to introduce a cleanprocess for all customers for the documented agreement of these additions (in technical jargon, this is sometimes referred to as "attestation"). Such a process has been in place for a long time for larger customers (where corresponding documents are signed), but not for SMEs, which are supplied via the so-called Cloud Solution Providers (CSP). Although the SME customer can obtain these addenda from their CSP, it is not yet possible to clearly document that these have been concluded with Microsoft Ireland Operations Ltd., the contractual partner for the cloud services.
Many Swiss CSPs are overwhelmed by this situation. Some also do not understand the contractual construct and certainly not the meaning of the various addenda. In addition, these change frequently, and there are no version numbers to enable proper tracking. The German translations also regularly contain errors that distort the meaning (we therefore always recommend using only the English versions). For example, some CSPs mistakenly believe that they themselves are contractual partners for the provision of cloud services by Microsoft, which is just as incorrect as the sometimes widespread view that the cloud services are contractually agreed with Microsoft Switzerland (the latter only provides so-called professional services).
However, we have been able to find a workaround for the problem of the missing signature process for SME customers. It works like this:
The clause reads:
"[CSP Partner] confirms that they are authorized by Microsoft (as defined in the Microsoft Customer Agreement (MCA)) under their Microsoft Partner Agreement to provide eligible customers with additional contractual components (the "MCA Amendments") officially published in the Microsoft Partner Portal at the time of the transaction, in addition to the MCA, and that Microsoft has confirmed to [CSP Partner] for the attention also of [Customer] that the MCA Amendments will come into force directly between the respective customer and the relevant Microsoft entity(ies) upon unilateral valid acceptance by the customer of these terms, in addition to the MCA terms. Expressly limited to the validity and enforceability of the MCA and the MCA Amendments between Microsoft and [Customer] [CSP] acts as a declaratory and receiving messenger of Microsoft. The MCA Amendments under this Agreement consist of [above contractual components 1, 2, and 3] - as provided in appendices [one] - [two] - [three]."
In this way, in addition to the MCA, the MCA addenda are not only agreed directly with Microsoft Ireland Operations Ltd. but this is also documented in writing through the agreement with the CSP. The solution assumes, of course, that Microsoft Ireland Operations Ltd. has actually authorized the Swiss CSP, as described in the clause, as part of its instructions and training of the CSP, to pass on the relevant statement from it to the customers and to receive their statements for Microsoft‘s attention. According to our information based on our clarifications with Swiss CSP, this workaround would, in our opinion, work for the CSP, as well. We had to choose this construction via CSPs as "declaratory messengers" and "receiving messengers" (a concept of Swiss law) because the CSPs are legally not so-called representatives or agents of Microsoft Ireland Operations Ltd., i.e. they are not authorized to sign the contract addenda on its behalf.
We have already implemented this approach in practice for our clients.
We have also informed Microsoft Ireland Operations Ltd. via Microsoft Switzerland of this approach and specifically that we consider the CSP to be a declarant and receiver of Microsoft Ireland Operations Ltd. for the purposes stated. We also submitted the clause to them. No objection was raised. After an internal Microsoft review showed that the contract tool available to the CSP does not (yet) provide a technical option for confirming the conclusion of the MCA addenda for SME customers, it accepted the procedure we developed as a workaround and has informed its CSP accordingly.
It is to be hoped that in the near future a clean process for documenting the completion of the various MCA supplements will be created.
David Rosenthal
Team Head
Which law applies where and how? What needs to be done? Seven short training videos Some like...
Many banks, insurance companies and other Swiss financial institutions are currently working on...
Switzerland follows suit with a one-year delay after the EU Swiss professional and official...