Data protection advisor

The Data Protection Act allows companies to self-regulate. Those that appoint a data protection advisor and notify the FDPIC that they have done so will be subject to fewer data protection impact assessment requirements. The role of the data protection advisor and the person chosen to exercise that role must nevertheless fulfil certain criteria. They monitor a company’s compliance with data protection requirements and provide the data controller with advice on data protection matters.

Under the current FADP, companies that appoint a data protection advisor and inform the FDPIC thereof may refrain from notifying us of their data collections. The list of data collection owners who are exempt from the notification requirement by designating a company data protection officer or data protection officers is available until the new FADP enters into force in September 2023 and is updated on an ongoing basis. (List in German, French or Italian)

Verzeichnis der Inhaber der Datensammlungen, die durch Bezeichnung einer oder eines betrieblichen Datenschutzverantwortlichen der Meldepflicht enthoben sind (PDF, 443 kB, 07.06.2023)

Private companies can appoint a data protection advisor in accordance with Article 10 of the Data Protection Act. The data protection advisor may be, but does not have to be, an existing employee. Data protection advice should be given independently of the company’s other activities in any case.

The work of the data protection advisor should ideally be kept separate from other legal advice and representation. The data protection advisor should be given the opportunity to present their point of view on cases where company management is not in agreement.

Contrary to the terms of the GDPR, only federal bodies are obliged to name a data protection advisor; it is voluntary for private companies. Private companies must notify the FDPIC of their DPO if they wish to be exempted from the data protection impact assessment, however. They can use the FDPIC’s dedicated notification portal for this.

Reporting portal

In addition to serving as a contact point for people within their companies, the data protection advisor is also the contact person for the FDPIC and other authorities responsible for data protection in Switzerland. If a company’s data protection advisor is not an employee of the private data controller, they will regularly be required to present a power of attorney for the private data controller when representing it.

A data protection advisor's tasks also include providing members of the company with general advice and training on data protection. They participate in creating and applying terms of use and data protection rules. They advise the data controller on data protection matters, but the data controller alone is responsible for ensuring that personal data are processed in accordance with data protection requirements.

The private data controller must provide the data protection advisor with the resources that they need, and generally ensure that they have access to all necessary information, documents, data processing records and personal data. The data protection advisor must be given access to those documents that are actually required to fulfil their duties. For example, the data protection advisor will not require access to personal data if they are doing a general check on internal data protection rules or data processing procedures. In addition, the data controller must give the data protection advisor the right to provide information to top-level management or a supervisory body in important cases.

Exception for high-risk data protection impact assessment

After a data protection impact assessment, a company may rely solely on internal advice without consulting the FDPIC even in cases where the level of risk remains high. This is permitted when the data protection advisor also fulfils the criteria set out in Article 10 paragraph 3 FADP:

The data protection advisor must be able to carry out their function independently, and they must not be bound by the data controller’s instructions. Their place in the company’s organisational hierarchy should reflect this independence. In principle they should report to the data controller’s executive board. In this regard, the data protection advisor should also have the right to provide information to top-level management or a supervisory body in important cases. This would be the data controller’s highest level of management, i.e. the body that holds responsibility for compliance with data protection rules.
The data protection advisor at a company must not take on tasks that are in conflict with their function. This type of conflict may arise when the data protection advisor is also a member of the executive board, when they perform functions in HR management or information systems management, or when they work in a unit processing sensitive personal data. It may, however, be possible to combine the tasks of the data protection advisor with those of the information security officer.
The data protection advisor must possess the required specialist knowledge of data protection law and technical standards in data security.
The private data controller must publish the contact information of their data protection advisor and provide this information to the FDPIC using its notification portal.