Compliance 28.03.2026 9 min read

GDPR-compliant remote support in Switzerland: the practical guide

What the GDPR and the revised Swiss FADP require from remote-desktop tools — data location, DPA, audit trail. Practical checklist.

What GDPR and revFADP require

The EU’s GDPR and the revised Swiss Federal Act on Data Protection (revFADP, in force since 2023) govern the processing of personal data. Relevant for remote support:

  1. Records of processing activities (Art. 30 GDPR / Art. 12 revFADP): you must document who accessed which data, when.
  2. Data-processing agreement (Art. 28 GDPR / Art. 9 revFADP): if an external IT provider accesses personal data (just “seeing” is enough), a DPA is required.
  3. Data security (Art. 32 GDPR / Art. 8 revFADP): encryption, access control, audit trail.
  4. Data location: EU or recognised third countries (Switzerland is recognised).

The most common pitfalls

Fallback to a US cloud server. You use a P2P tool, but on symmetric NAT a TURN relay kicks in — and it’s in the US. Data flow through US infrastructure is subject to the CLOUD Act. Solution: pick a tool with a Swiss/EU relay.

No DPA with the tool vendor. If you run remote sessions on customer devices as an IT provider, you are the data processor for the customer’s data. The tool vendor is the sub-processor. Both DPAs must exist.

No audit trail. In a GDPR audit you have to prove who ran which session, when. Some tools only log “47 sessions this month” — that’s not enough. Required: per session the technician’s name, target device, duration, file transfers.

Session recording without consent. If you record sessions (e.g. for compliance), you need the explicit consent of the end user at the host device. Without consent: violation.

The Swiss advantages

If you’re a Swiss IT provider and pick a Swiss vendor:

  • No CLOUD Act. Swiss limited-liability companies without a US parent cannot be compelled to hand over data to US authorities.
  • Shorter mutual legal assistance. Disputes with a Swiss vendor end up in a Swiss court — no multi-jurisdiction complexity.
  • FDPIC as point of contact. Complaints go to the Federal Data Protection and Information Commissioner — pragmatic and specialised in Swiss law.

Practical checklist

Before deploying a remote tool for regulated customers:

  1. Data location documented? Servers in Switzerland or EU.
  2. DPA in place? Standard DPA from the vendor read + filed.
  3. E2E encryption? AES-256 or equivalent, documented.
  4. Audit trail enabled? Per session: who/when/what, exportable as CSV.
  5. Roles + permissions? Not every technician on everything. Principle of least privilege.
  6. Consent for recording? If sessions are recorded.
  7. Vendor without CLOUD Act exposure? For sensitive data (health, finance, legal) clearly relevant.
  8. Tracking config explicitly set? No “everything goes to vendor marketing anonymously”.

Where WinDesk stands

WinDesk was built specifically for the Swiss compliance context:

  • Servers in Switzerland and the EU, no US cloud hop
  • Lightnet Multimedia GmbH is a Swiss limited-liability company without US parent — no CLOUD Act
  • AES-256-GCM E2E per session, ephemeral key
  • Audit trail by default, CSV export, filter by user/period/device
  • Standard DPA available in the portal
  • Roles: admin / supporter / read-only
  • Optional session recording arrives 2026 with a consent workflow

Security page with detailed proofs. DPA questions: info@windesk.ch.

Try WinDesk in 30 seconds

Free plan with no account, no credit card. Cross-platform Windows + Mac + Linux + Pi.

Download now More articles