Data protection certification

Manufacturers of data processing systems and programmes, data controllers and processors can have their systems, products and services assessed by a recognised independent certification body (Art. 13 para. 1 FADP).

The Federal Council issued the Ordinance of 31 August 2022 on Data Protection Certification (DPCO) based on Article 13 paragraph 2 FADP regulating the recognition of certification procedures and the introduction of a data protection quality label.

Certification bodies accredited in accordance with the DPCO (Art. 1 para. 2 DPCO) can provide certification for organisational structures and procedures (management systems), for products, in particular data processing systems or programs and hardware, as well as for services and processes. Accreditation is carried out by the Swiss Accreditation Service (SAS), which consults the FDPIC regarding procedures, follow-up inspections and sanctions (Art. 2 DPCO).

In accordance with Article 6 paragraph 2 DPCO, the FDPIC issues specific guidelines on the minimum requirements for a management system, taking into account technical standards. In addition, in accordance with Article 7 paragraph 2 DPCO, he issues guidelines on the criteria under data protection law which the assessment of products, services and processes must fulfil.
The FDPIC recognises foreign certification bodies and data protection certifications in consultation with the Swiss Accreditation Service (Art. 3 para. 2 and Art. 9 DPCO).

The FDPIC shall inform the certification body if he identifies serious deficiencies on the part of a certified manufacturer of data processing systems or programmes, a data controller or a processor. If the data controller does not rectify the deficiency within 30 days and the certification body does not initiate any measures, the FDPIC himself can suspend or revoke the certification (Art. 12 para. 4 DPCO). 

Certified data controllers are exempt from the obligation to carry out a data protection impact assessment (Art. 22 para. 5 FADP). In addition to this advantage, certification also offers manufacturers and data controllers the opportunity to document and communicate their compliance with data protection law, thus increasing their sense of responsibility.

Certification particularly promotes transparency by having an independent body analyse increasingly complex data processing operations. This should give the people affected by data processing the opportunity to actively decide in favour of systems, products and services that promote data protection, thus strengthening data protection and data security as a whole.