External Data Protection Officer (DPO)
One person is responsible for the compliance and control of data protection in your company.
As an external DPO, we take on all the functions required by law and support your company in all matters relating to data protection and data security, in a pragmatic and goal-oriented manner.
- Checking the processing of personal data within the company;
- Recommend corrective measures if it is determined that data protection regulations have been violated;
- Maintaining a list of data collections and making it available to the FDPIC or data subjects upon request;
- Conduct risk analyses in the area of data protection;
- Create or update internal guidelines in the area of data protection.
Relevant data protection regulations
In Switzerland, the Swiss Federal Data Protection Act of 19 June 1992 (DPA) and its Ordinance (DPO) apply. It was revised in 2020. The Federal Council decided at its meeting on 31 August 2022 that the totally revised Data Protection Act will now enter into force on 1 September 2023. The current DPA can be found here. Further information can be found here.
In future, fines of up to CHF 250,000 may be imposed on individuals for wilful:
- false and incomplete information;
- breach of the duty to provide information;
- non-compliance with minimum data security requirements;
- inadmissible transmission abroad;
- order processing which does not comply with the legal requirements;
- breach of the duty of confidentiality.
The European General Data Protection Regulation (GDPR) is a European Union regulation that harmonises the rules for the processing of personal data by private companies and public bodies across Europe. It has been in force since 25 May 2018.
Data Protection Officer under the GDPR
Pursuant to Article 37 GDPR, the controller and the processor shall in any case designate a data protection officer where the processing is carried out by a public authority or public body, with the exception of courts, insofar as they act in the course of their judicial activities, the core activity of the controller or processor is the carrying out of processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or the core activity of the controller or processor consists in the extensive processing of special categories of data or of personal data relating to criminal convictions and offences.
Data protection officers according to the revised FADP
Art. 11 FADP
According to Article 11 of the revised FADP, private data controllers may appoint a data protection advisor.
The data protection advisor is the point of contact for data subjects and for the authorities responsible for data protection in Switzerland. He or she has the following tasks in particular:
- Training and advising the private data controller on data protection issues;
- Participation in the application of data protection regulations.
Private controllers may make use of the exemption under Article 23 paragraph 4 if the following conditions are met:
- The data protection advisor shall exercise his or her function vis-à-vis the controller in a professionally independent manner and without being bound by instructions.
- He or she shall not carry out any activities which are incompatible with his or her duties as a data protection advisor.
- She or he has the necessary expertise.
- The data controller shall publish the contact details of the data protection advisor and communicate them to the FDPIC.
The Federal Council shall regulate the appointment of data protection advisors by federal bodies.
According to Article 23 paragraph 4 FADP, private data controllers may refrain from consulting the Federal Data Protection Commissioner if they have consulted the data protection advisor in accordance with Article 10.
Pursuant to Article 23 of the Data Protection Regulation (DPA), the data controller must provide the data protection advisor:
- provide the necessary resources;
- provide access to all information, documents, records of processing activities and personal data required by the counsellor to fulfil his or her duties;
- grant the right to inform the supreme governing or administrative body in important cases.
Focal points of the data protection advisor
- Check the processing of personal data within the company;
- Recommend corrective measures if he/she finds that data protection regulations have been violated;
- Implement data protection requirements (DSG, DSGVO)
- Draw up data protection guidelines and declarations
- Data mapping, drawing up the register of processing activities
- Developing data protection declarations (online/offline)
- Checking and drafting order processing contracts / joint controller contracts
- Monitoring the transfer of personal data abroad (cross-border data protection compliance)
- Establishing processes in response to requests from data subjects (e.g. information, correction, deletion processes)
- Planning the behaviour in the event of data security breaches being detected
- Advising and assisting in the implementation of data protection impact assessments
- Implementing the principles of privacy by design and privacy by default
- Developing and reviewing data security concepts
- Developing and implementing deletion concepts
- Communicating with supervisory authorities
- Establishing controls for data protection compliance/data protection audits
- Employee training
Your advantages of an external data protection advisor
- Independent and neutral, not bound by instructions
- Data protection is handled by a specialist
- Conflicts of interest are avoided
- Continuity is guaranteed
- Reduced expenditure
- Efficiency due to competence