Data protection advisor

Data protection advisor

The Data Protection Act allows companies to self-regulate. Those that appoint a data protection advisor and notify the FDPIC that they have done so will be subject to fewer data protection impact assessment requirements. The role of the data protection advisor and the person chosen to exercise that role must nevertheless fulfil certain criteria. They monitor a company’s compliance with data protection requirements and provide the data controller with advice on data protection matters.

Private companies can appoint a data protection advisor in accordance with Article 10 of the Data Protection Act. The data protection advisor may be, but does not have to be, an existing employee. Data protection advice should be given independently of the company’s other activities in any case. 

The work of the data protection advisor should ideally be kept separate from other legal advice and representation. The data protection advisor should be given the opportunity to present their point of view on cases where company management is not in agreement. 

Contrary to the terms of the GDPR, only federal bodies are obliged to name a data protection advisor; it is voluntary for private companies. Private companies must notify the FDPIC of their DPO if they wish to be exempted from the data protection impact assessment, however. They can use the FDPIC’s dedicated notification portal for this.

In addition to serving as a contact point for people within their companies, the data protection advisor is also the contact person for the FDPIC and other authorities responsible for data protection in Switzerland. If a company’s data protection advisor is not an employee of the private data controller, they will regularly be required to present a power of attorney for the private data controller when representing it.

A data protection advisor's tasks also include providing members of the company with general advice and training on data protection. They participate in creating and applying terms of use and data protection rules. They advise the data controller on data protection matters, but the data controller alone is responsible for ensuring that personal data are processed in accordance with data protection requirements.

The private data controller must provide the data protection advisor with the resources that they need, and generally ensure that they have access to all necessary information, documents, data processing records and personal data. The data protection advisor must be given access to those documents that are actually required to fulfil their duties. For example, the data protection advisor will not require access to personal data if they are doing a general check on internal data protection rules or data processing procedures. In addition, the data controller must give the data protection advisor the right to provide information to top-level management or a supervisory body in important cases.

Exception for high-risk data protection impact assessment

After a data protection impact assessment, a company may rely solely on internal advice without consulting the FDPIC even in cases where the level of risk remains high. This is permitted when the data protection advisor also fulfils the criteria set out in Article 10 paragraph 3 FADP: 

  • The data protection advisor must be able to carry out their function independently, and they must not be bound by the data controller’s instructions. Their place in the company’s organisational hierarchy should reflect this independence. In principle they should report to the data controller’s executive board. In this regard, the data protection advisor should also have the right to provide information to top-level management or a supervisory body in important cases. This would be the data controller’s highest level of management, i.e. the body that holds responsibility for compliance with data protection rules. 
  • The data protection advisor at a company must not take on tasks that are in conflict with their function. This type of conflict may arise when the data protection advisor is also a member of the executive board, when they perform functions in HR management or information systems management, or when they work in a unit processing sensitive personal data. It may, however, be possible to combine the tasks of the data protection advisor with those of the information security officer.
  • The data protection advisor must possess the required specialist knowledge of data protection law and technical standards in data security.
  • The private data controller must publish the contact information of their data protection advisor and provide this information to the FDPIC using its notification portal.

Data protection advisors for federal bodies

Federal bodies are obliged to appoint a data protection advisor. They are still permitted to notify the FDPIC of their data protection advisor via email. 

FADP – Criminal law

Criminal aspects of breaches of obligations under the FADP.

Right to information

In accordance with the Federal Act on Data Protection, any person may request information from the controller of a data file as to whether their personal data is being processed.

Fees

In future, the FDPIC will charge private data processors for a number of his services.

The FDPIC’s role

It introduces changes for data processors and data subjects and provides the FDPIC with additional duties and powers.

Webmaster
Last modification 23.05.2023

Top of page