Data protection impact assessment

Data protection impact assessment

Private- and public-sector data controllers must carry out a data protection impact assessment (DPIA) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects.

The DPIA is an instrument used by data controllers to record, evaluate and deal with data protection risks. The rules on DPIAs in the totally revised Federal Data Protection Act reflect the risk-based approach taken in the new data protection law, which also means that the requirement to carry out a DPIA only applies if there is a potentially high risk.

The DPIA provides a description of the data processing that is planned, evaluates the risks to the personality or fundamental rights of the data subjects and indicates the measures required to protect those rights. Where a data processing operation is already ongoing, the data controller has to check the position and indicate in the DPIA the main differences between the existing operation and the data processing that is planned. 

A high risk may arise from the nature, scope, circumstances and purpose of the processing, in particular when using new technologies. The law mentions, for example, the large-scale processing of sensitive personal data and the systematic, large-scale surveillance of public areas (see Art. 22 FADP). When assessing and dealing with risks, it is important to distinguish between those that can be influenced by risk-reducing measures and those that cannot or are unlikely to be influenced by measures. 

If the DPIA shows that the planned data processing poses a high residual risk to the personality or fundamental rights of the data subjects despite the measures envisaged by the controller, an opinion must be obtained from the FDPIC. An exception applies to private controllers if they have consulted their data protection officer. 

More information on the website of the Federal Office of Justice (FOJ)

Duty to provide information

The duty to provide information ensures that data processing is transparent and that the data subject’s rights are respected.

Right to information

In accordance with the Federal Act on Data Protection, any person may request information from the controller of a data file as to whether their personal data is being processed.

Data protection officer

Notification of data protection officers (DPO) to the FDPIC pursuant to Art. 10 para. 3 FADP for private persons and Art. 10 para. 4 FADP for federal bodies.

Criminal law

Criminal aspects of breaches of obligations under the FADP.

Last modification 01.09.2023

Top of page