External Data Protection Officer (DPO)

One person is responsible for the compliance and control of data protection in your company.

As an external DPO, we take on all the functions required by law and support your company in all matters relating to data protection and data security, in a pragmatic and goal-oriented manner.

Focus areas
  • Checking the processing of personal data within the company;
  • Recommend corrective measures if it is determined that data protection regulations have been violated;
  • Maintaining a list of data collections and making it available to the FDPIC or data subjects upon request;
  • Conduct risk analyses in the area of data protection;
  • Create or update internal guidelines in the area of data protection.
Relevant data protection regulations

In Switzerland, the Swiss Federal Data Protection Act of 19 June 1992 (DPA) and its Ordinance (DPO) apply. It was revised in 2020. The Federal Council decided at its meeting on 31 August 2022 that the totally revised Data Protection Act will now enter into force on 1 September 2023. The current DPA can be found here. Further information can be found here.

In future, fines of up to CHF 250,000 may be imposed on individuals for wilful:

  • false and incomplete information;
  • breach of the duty to provide information;
  • non-compliance with minimum data security requirements;
  • inadmissible transmission abroad;
  • order processing which does not comply with the legal requirements;
  • breach of the duty of confidentiality.

The European General Data Protection Regulation (GDPR) is a European Union regulation that harmonises the rules for the processing of personal data by private companies and public bodies across Europe. It has been in force since 25 May 2018.

Data Protection Officer under the GDPR

Pursuant to Article 37 GDPR, the controller and the processor shall in any case designate a data protection officer where the processing is carried out by a public authority or public body, with the exception of courts, insofar as they act in the course of their judicial activities, the core activity of the controller or processor is the carrying out of processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or the core activity of the controller or processor consists in the extensive processing of special categories of data or of personal data relating to criminal convictions and offences.

Data protection officers according to the revised FADP

Art. 11 FADP

According to Article 11 of the revised FADP, private data controllers may appoint a data protection advisor.

The data protection advisor is the point of contact for data subjects and for the authorities responsible for data protection in Switzerland. He or she has the following tasks in particular:

  • Training and advising the private data controller on data protection issues;
  • Participation in the application of data protection regulations.

Private controllers may make use of the exemption under Article 23 paragraph 4 if the following conditions are met:

  • The data protection advisor shall exercise his or her function vis-à-vis the controller in a professionally independent manner and without being bound by instructions.
  • He or she shall not carry out any activities which are incompatible with his or her duties as a data protection advisor.
  • She or he has the necessary expertise.
  • The data controller shall publish the contact details of the data protection advisor and communicate them to the FDPIC.

The Federal Council shall regulate the appointment of data protection advisors by federal bodies.

According to Article 23 paragraph 4 FADP, private data controllers may refrain from consulting the Federal Data Protection Commissioner if they have consulted the data protection advisor in accordance with Article 10.

Pursuant to Article 23 of the Data Protection Regulation (DPA), the data controller must provide the data protection advisor:

  • provide the necessary resources;
  • provide access to all information, documents, records of processing activities and personal data required by the counsellor to fulfil his or her duties;
  • grant the right to inform the supreme governing or administrative body in important cases.

 

Focal points of the data protection advisor
  • Check the processing of personal data within the company;
  • Recommend corrective measures if he/she finds that data protection regulations have been violated;
  • Implement data protection requirements (DSG, DSGVO)
  • Draw up data protection guidelines and declarations
  • Data mapping, drawing up the register of processing activities
  • Developing data protection declarations (online/offline)
  • Checking and drafting order processing contracts / joint controller contracts
  • Monitoring the transfer of personal data abroad (cross-border data protection compliance)
  • Establishing processes in response to requests from data subjects (e.g. information, correction, deletion processes)
  • Planning the behaviour in the event of data security breaches being detected
  • Advising and assisting in the implementation of data protection impact assessments
  • Implementing the principles of privacy by design and privacy by default
  • Developing and reviewing data security concepts
  • Developing and implementing deletion concepts
  • Communicating with supervisory authorities
  • Establishing controls for data protection compliance/data protection audits
  • Employee training
Your advantages of an external data protection advisor
  • Independent and neutral, not bound by instructions
  • Data protection is handled by a specialist
  • Conflicts of interest are avoided
  • Continuity is guaranteed
  • Reduced expenditure
  • Efficiency due to competence
Edith Luginbühl

Assistant

Edith Luginbühl ist eine engagierte und erfahrene Assistentin mit über 50 Jahren Berufserfahrung. Ihre berufliche Laufbahn begann mit einer kaufmännischen Ausbildung bei einer Grossbank, und führte sie durch verschiedene Branchen, darunter die Gastronomie, Hotellerie, Autovermietung, Reisebüro, Zeitungsredaktion. Zu ihren Stärken zählen ihre freundliche und professionelle Art, ihre Zuverlässigkeit sowie ihr ausgeprägtes Auge für Details.

Alexander Wild begann 2019 sein rechtswissenschaftliches Studium an der Universität Zürich. Vor und während seinem Studium konnte er bereits erste Erfahrungen in einer Compliance Abteilung einer Bank erlangen, arbeitete als IT-Supporter sowie in einer Legal Abteilung eines international tätigen Pharmaunternehmen. Seine Tätigkeiten umfassten unter anderem die Prüfung/Einhaltung von Bankweisungen, Sanktionen, Kunden und Länderrisiko; Beurteilung des generellen Kunden-Risikos für die Bank; Wet Ink Support sowie Support in der Prozessoptimierung von Vertragsunterzeichnungen. Seit 2022 arbeitet er als Anwaltsassistent bei der Balthasar Legal AG sowie LR | Rechtsanwälte. Sein Masterstudium wird er voraussichtlich 2025 abschliessen. 

Sangmo Agontsang

Paralegal

Sangmo Agontsang schloss 2012 ihr Diplom als Wirtschaffachfrau an der Kaderschule Zürich ab. Im Anschluss an ihrem Diplom als Wirtschaftsfachfrau arbeitete Sangmo Agontsang als CEO Assistentin unter anderem für Freitag lab ag und CBM Schweiz. Sie verfügt des Weiteren über Erfahrung in der Organisation der Kaderschule Zürich, sowie über 3 Jahre Erfahrung in der Intellectual Property Abteilung der Freitag lab ag und hat dabei international mit einem Team von Anwälten die Rechte ihres Unternehmens verteidigt. Seit 2022 arbeitet sie als Paralegal bei der Balthasar Legal AG.

Markus Bruggmann

MLaw Senior Adviser

MLaw Markus Bruggmann hat 2013 sein rechtswissenschaftliches Studium an der Universität Zürich abgeschlossen und war seitdem unter anderem bei einer Bank, einer Wirtschaftskanzlei und einer Versicherung tätig, wo er sich auf die Beratung sowie die Prüfung und Redaktion von Verträgen in den Bereichen des Kommunikations- und Technologierechts (Datenschutz) unter Berücksichtigung des Haftpflicht- und Immaterialgüterrechts spezialisierte. Zu seinen Stärken gehören seine analytischen Fähigkeiten und seine breite Erfahrung.