GDPR & Swiss FADP
Stockaj is built for tenants operating under Swiss revFADP (in force since 2023-09-01) and EU GDPR (Reg. 2016/679). Both regimes are honored as primary.
Lawful basis
Tenants are the data controllers for the personal data they upload (typically renter / customer data). Stockaj is the data processor. The lawful basis is the contract between the tenant and Stockaj and, downstream, between the tenant and their customers.
Data subject rights
The Stockaj API surfaces the rights mandated by GDPR Art 15-22 and revFADP Art 25:
| Right | API |
|---|---|
| Access | GET /api/v1/parties/{id}/export — full JSON export |
| Rectification | PATCH /api/v1/parties/{id} |
| Erasure | DELETE /api/v1/parties/{id} (soft-delete; purged after 30 days) |
| Portability | GET /api/v1/parties/{id}/export?format=portable |
Retention defaults
| Data class | Retention |
|---|---|
| Auth tokens | 90 days idle |
| EPCIS events | 7 years from event time (Swiss CO Art 958f) |
| Invoices, UBL docs | 10 years (Swiss CO, EU VAT) |
| Soft-deleted personal data | 30 days then purged |
Tenants on enterprise plans can configure retention per data class.
Breach notification
Stockaj follows GDPR Art 33 (72h to supervisory authority) and revFADP Art 24 (notification "as soon as possible" to the FDPIC).
Reference
- Swiss revFADP — https://www.fedlex.admin.ch/eli/cc/2022/491/de
- EU GDPR — https://eur-lex.europa.eu/eli/reg/2016/679/oj