The Data Protection Act allows companies to self-regulate. Those that appoint a data protection officer and notify the FDPIC that they have done so will be subject to fewer data protection impact assessment requirements. The role of the data protection officer and the person chosen to exercise that role must nevertheless fulfil certain criteria. They monitor a company’s compliance with data protection requirements and provide the data controller with advice on data protection matters.
Data protection officer
Private companies can appoint a data protection officer in accordance with Article 10 of the Data Protection Act. The data protection officer may be, but does not have to be, an existing employee. Data protection advice should be given independently of the company’s other activities in any case.
The work of the data protection officer should ideally be kept separate from other legal advice and representation. The data protection officer should be given the opportunity to present their point of view on cases where company management is not in agreement.
Contrary to the terms of the GDPR, only federal bodies are obliged to name a data protection officer ; it is voluntary for private companies. Private companies must notify the FDPIC of their DPO if they wish to be exempted from the data protection impact assessment, however. They can use the FDPIC’s dedicated notification portal for this.
In addition to serving as a contact point for people within their companies, the data protection officer is also the contact person for the FDPIC and other authorities responsible for data protection in Switzerland. If a company’s data protection officer is not an employee of the private data controller, they will regularly be required to present a power of attorney for the private data controller when representing it.
The private data controller must provide the data protection officer with the resources that they need, and generally ensure that they have access to all necessary information, documents, data processing records and personal data. The data protection officer must be given access to those documents that are actually required to fulfil their duties. For example, the data protection officer will not require access to personal data if they are doing a general check on internal data protection rules or data processing procedures. In addition, the data controller must give the data protection officer the right to provide information to top-level management or a supervisory body in important cases.
Exception for high-risk data protection impact assessment
After a data protection impact assessment, a company may rely solely on internal advice without consulting the FDPIC even in cases where the level of risk remains high. This is permitted when the data protection officer also fulfils the criteria set out in Article 10 paragraph 3 FADP:
- The data protection officer must be able to carry out their function independently, and they must not be bound by the data controller’s instructions. Their place in the company’s organisational hierarchy should reflect this independence. In principle they should report to the data controller’s executive board. In this regard, the data protection officer should also have the right to provide information to top-level management or a supervisory body in important cases. This would be the data controller’s highest level of management, i.e. the body that holds responsibility for compliance with data protection rules.
- The data protection officer at a company must not take on tasks that are in conflict with their function. This type of conflict may arise when the data protection officer is also a member of the executive board, when they perform functions in HR management or information systems management, or when they work in a unit processing sensitive personal data. It may, however, be possible to combine the tasks of the data protection officer with those of the information security officer.
- The data protection officer must possess the required specialist knowledge of data protection law and technical standards in data security.
- The private data controller must publish the contact information of their data protection officer and provide this information to the FDPIC using its notification portal.
Data protection officers for federal bodies
Federal bodies are obliged to appoint a data protection officer and notify it to the FDPIC.
Further information on the registration of data protection officers in the FDPIC's reporting portal
In principle, controllers should provide the contact details of their data protection officers themselves via the portal in order to have control over the reported data. However, it is also possible for any person authorised by the controller to make the report to the FDPIC. Please note the following points:
- To report and amend data, you need either a CH login or a FED login (this only applies to persons reporting from the federal administration).
- You can create as many CH logins as you like, but they each need a separate email address.
- Once you have created a CH login or a FED login, an account is created on the FDPIC's reporting portal. Each account is valid for exactly ONE controller (business). This account can only be transferred to another person with the associated login.
- You can create the CH login with a private (non-transferable) or a generic email address. The generic email address has the advantage that you can transfer it to another person so that the reported data can still be amended later if necessary (e.g. if someone leaves the business or changes position).
- A two-factor procedure is used for the authentication of the CH login. An authenticator app, an mTAN mobile number or FIDO passkey can be used here.
- The reporting person’s data are stored in the system and thus with the controller for the purpose of traceability and for the login procedure. This data can be changed separately in the portal after registration.
- If it is not possible for you to use the portal taking the above points into account (e.g. because you need to register the data for several controllers but do not have several email addresses to create the several CH logins required), please send the contact details of the data protection officers to the FDPIC by letter or email.
No migration from the previous directory
Information and declarations on data protection officers pursuant to the Article 11a paragraph 5 letter e old FADP from the previous directory will not be migrated to the new portal for data protection officers because of the new legal requirements for data protection officers.
Last modification 07.09.2023