External Data Protection Officer (DPO)

As an external DPO, we take on all the functions required by law and support your company in all matters relating to data protection and data security, in a pragmatic and goal-oriented manner.

One person is responsible for the compliance and control of data protection in your company.

 

Focus areas
  • Checking the processing of personal data within the company;
  • Recommend corrective measures if it is determined that data protection regulations have been violated;
  • Maintaining a list of data collections and making it available to the FDPIC or data subjects upon request;
  • Conduct risk analyses in the area of data protection;
  • Create or update internal guidelines around data protection.
Relevant data protection regulations

The Swiss Federal Act on Data Protection (FADP) and its Ordinance (OFADP) apply in Switzerland.

The revised DPA came into force on 1 September 2023. The current DPA can be found here. Further information can be found here.

In future, fines of up to CHF 250,000 may be imposed on individuals for wilful:

  • false and incomplete information;
  • breach of the duty to provide information;
  • non-compliance with minimum data security requirements;
  • inadmissible transmission abroad;
  • order processing which does not comply with the legal requirements;
  • breach of the duty of confidentiality.

The European General Data Protection Regulation (GDPR) is a European Union regulation that harmonises the rules for the processing of personal data by private companies and public bodies across Europe. It has been in force since 25 May 2018.

Data Protection Officer under the GDPR

Pursuant to Article 37 GDPR, the controller and the processor shall in any case designate a data protection officer where the processing is carried out by a public authority or public body, with the exception of courts, insofar as they act in the course of their judicial activities, the core activity of the controller or processor is the carrying out of processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or the core activity of the controller or processor consists in the extensive processing of special categories of data or of personal data relating to criminal convictions and offences.

Data protection officers according to the revised FADP

Art. 11 FADP

According to Article 11 of the revised FADP, private data controllers may appoint a data protection advisor.

The data protection advisor is the point of contact for data subjects and for the authorities responsible for data protection in Switzerland. He or she has the following tasks in particular:

  • Training and advising the private data controller on data protection issues;
  • Participation in the application of data protection regulations.

Private controllers may make use of the exemption under Article 23 paragraph 4 if the following conditions are met:

  • The data protection advisor shall exercise his or her function vis-à-vis the controller in a professionally independent manner and without being bound by instructions.
  • He or she shall not carry out any activities which are incompatible with his or her duties as a data protection advisor.
  • She or he has the necessary expertise.
  • The data controller shall publish the contact details of the data protection advisor and communicate them to the FDPIC.

The Federal Council shall regulate the appointment of data protection advisors by federal bodies.

According to Article 23 paragraph 4 FADP, private data controllers may refrain from consulting the Federal Data Protection Commissioner if they have consulted the data protection advisor in accordance with Article 10.

Pursuant to Article 23 of the Data Protection Regulation (DPA), the data controller must provide the data protection advisor:

  • provide the necessary resources;
  • provide access to all information, documents, records of processing activities and personal data required by the counsellor to fulfil his or her duties;
  • grant the right to inform the supreme governing or administrative body in important cases.

 

Focal points of the data protection advisor
  • Check the processing of personal data within the company;
  • Recommend corrective measures if he/she finds that data protection regulations have been violated;
  • Implement data protection requirements (DSG, DSGVO)
  • Draw up data protection guidelines and declarations
  • Data mapping, drawing up the register of processing activities
  • Developing data protection declarations (online/offline)
  • Checking and drafting order processing contracts / joint controller contracts
  • Monitoring the transfer of personal data abroad (cross-border data protection compliance)
  • Establishing processes in response to requests from data subjects (e.g. information, correction, deletion processes)
  • Planning the behaviour in the event of data security breaches being detected
  • Advising and assisting in the implementation of data protection impact assessments
  • Implementing the principles of privacy by design and privacy by default
  • Developing and reviewing data security concepts
  • Developing and implementing deletion concepts
  • Communicating with supervisory authorities
  • Establishing controls for data protection compliance/data protection audits
  • Employee training
Your advantages of an external data protection advisor
  • Independent and neutral, not bound by instructions
  • Data protection is handled by a specialist
  • Conflicts of interest are avoided
  • Continuity is guaranteed
  • Reduced expenditure
  • Efficiency due to competence
Bruno Schnarwiler

Konsulent Informationssicherheit

Bruno Schnarwiler ist ein Experte in Wirtschaftsinformatik mit über 30 Jahren Erfahrung als Auditor, Projektmanager, Berater und Führungskraft. Mit Abschlüssen als Eidg. Dipl. Wirtschaftsinformatiker, CISA und ISO 27001 Lead Auditor verfügt er über Fachkenntnisse in Informationssicherheit, Krisen- und Risikomanagement sowie digitalen Archivierungslösungen. Er hatte Schlüsselrollen wie Leiter IT-Revision und Risikomanagement in einer Bank, Leiter Softwareentwicklung und Berater für Sicherheit. Diese Tätigkeiten gaben ihm umfassende Einblicke in Branchen und Prozesse. Er trägt zur Implementierung sicherer IT-Umgebungen, Optimierung interner Kontrollsysteme und Entwicklung nachhaltiger Lösungen bei, die moderne Anforderungen erfüllen.
Edith Luginbühl

Assistant

Edith Luginbühl is a dedicated and experienced assistant with over 50 years of professional experience. Her professional career began with a commercial apprenticeship at a major bank and has taken her through various sectors, including the catering, hotel, car rental, travel agency and newspaper editorial offices. Her strengths include her friendly and professional manner, her reliability and her keen eye for detail.

Alexander Wild began his law studies at the University of Zurich in 2019. Before and during his studies, he gained initial experience in the compliance department of a bank, worked as an IT supporter and in the legal department of an international pharmaceutical company. His activities included checking/compliance with bank instructions, sanctions, customer and country risk; assessment of general customer risk for the bank; wet ink support and support in the process optimisation of contract signings. Since 2022 he has been working as a paralegal at Balthasar Legal AG and LR | Rechtsanwälte. He is expected to complete his Master's degree in 2025.

Sangmo Agontsang

Paralegal

Sangmo Agontsang completed her diploma in business administration at the Kaderschule Zürich in 2012. After graduating, she worked as a CEO assistant for Freitag lab ag and CBM Switzerland, among others. She also gained experience in the organisation of the Kaderschule Zürich and worked in the Intellectual Property department of Freitag lab ag. There she worked internationally with a team of lawyers to defend the company's rights. Since 2022 she has been working as a paralegal at Balthasar Legal AG.

 

Markus Bruggmann

MLaw Senior Adviser

MLaw Markus Bruggmann completed his law degree at the University of Zurich in 2013 and has since worked for a bank, a commercial law firm and an insurance company, among others, where he specialised in advising, reviewing and drafting contracts in the areas of communications and technology law (data protection), taking into account liability and intellectual property law. His strengths include his analytical skills and broad experience.