The Data Protection Act allows companies to self-regulate. Those that appoint a data protection advisor and notify the FDPIC that they have done so will be subject to fewer data protection impact assessment requirements. The role of the data protection advisor and the person chosen to exercise that role must nevertheless fulfil certain criteria. They monitor a company’s compliance with data protection requirements and provide the data controller with advice on data protection matters.
Data protection advisor
Under the current FADP, companies that appoint a data protection advisor and inform the FDPIC thereof may refrain from notifying us of their data collections. The list of data collection owners who are exempt from the notification requirement by designating a company data protection officer or data protection officers is available until the new FADP enters into force in September 2023 and is updated on an ongoing basis. (List in German, French or Italian)
Private companies can appoint a data protection advisor in accordance with Article 10 of the Data Protection Act. The data protection advisor may be, but does not have to be, an existing employee. Data protection advice should be given independently of the company’s other activities in any case.
The work of the data protection advisor should ideally be kept separate from other legal advice and representation. The data protection advisor should be given the opportunity to present their point of view on cases where company management is not in agreement.
Contrary to the terms of the GDPR, only federal bodies are obliged to name a data protection advisor; it is voluntary for private companies. Private companies must notify the FDPIC of their DPO if they wish to be exempted from the data protection impact assessment, however. They can use the FDPIC’s dedicated notification portal for this.
In addition to serving as a contact point for people within their companies, the data protection advisor is also the contact person for the FDPIC and other authorities responsible for data protection in Switzerland. If a company’s data protection advisor is not an employee of the private data controller, they will regularly be required to present a power of attorney for the private data controller when representing it.
The private data controller must provide the data protection advisor with the resources that they need, and generally ensure that they have access to all necessary information, documents, data processing records and personal data. The data protection advisor must be given access to those documents that are actually required to fulfil their duties. For example, the data protection advisor will not require access to personal data if they are doing a general check on internal data protection rules or data processing procedures. In addition, the data controller must give the data protection advisor the right to provide information to top-level management or a supervisory body in important cases.
Exception for high-risk data protection impact assessment
After a data protection impact assessment, a company may rely solely on internal advice without consulting the FDPIC even in cases where the level of risk remains high. This is permitted when the data protection advisor also fulfils the criteria set out in Article 10 paragraph 3 FADP:
- The data protection advisor must be able to carry out their function independently, and they must not be bound by the data controller’s instructions. Their place in the company’s organisational hierarchy should reflect this independence. In principle they should report to the data controller’s executive board. In this regard, the data protection advisor should also have the right to provide information to top-level management or a supervisory body in important cases. This would be the data controller’s highest level of management, i.e. the body that holds responsibility for compliance with data protection rules.
- The data protection advisor at a company must not take on tasks that are in conflict with their function. This type of conflict may arise when the data protection advisor is also a member of the executive board, when they perform functions in HR management or information systems management, or when they work in a unit processing sensitive personal data. It may, however, be possible to combine the tasks of the data protection advisor with those of the information security officer.
- The data protection advisor must possess the required specialist knowledge of data protection law and technical standards in data security.
- The private data controller must publish the contact information of their data protection advisor and provide this information to the FDPIC using its notification portal.
Data protection advisors for federal bodies
Federal bodies are obliged to appoint a data protection advisor. They are still permitted to notify the FDPIC of their data protection advisor via email.
Last modification 23.05.2023