Information security
On this page you will find important information and instructions relating to IT and information security.
Guide to Technical and Organisational Data Protection Measures (TOM)
This provides an introduction to the risks and solutions associated with data protection in today's information systems. The main themes of data protection are presented from the point of view of possible technical and organisational measures, such as encryption, anonymisation, authentication, etc. The Guide is designed as an aid to implementing appropriate measures to ensure optimal and appropriate protection of personal data, by making the links with current regulations and standards.
The Guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management.
Guidelines on data breaches
These FDPIC guidelines deal with the legal notification requirements for data security breaches to the FDPIC, in particular the notion of a ‘likely high risk’ as defined in art. 24 para. 1 FADP. They also define the requirements for informing the data subjects in the event of a data security breach in accordance with art. 24 para. 4 FADP.
Technical recommendations for logging in accordance with Article 4 DPO
A private controller and its private processor must log the storage, alteration, reading, disclosure, deletion and destruction of data during the automated processing of personal data. These recommendations are intended to provide a summary of what is involved in this form of logging and what needs to be done to comply with Article 4 DPO in technical terms.
Instructions for drawing up Processing Regulations for Private Persons
The private Controller and its Processor (see Art. 5 DPO) must draw up processing regulations for automated processing operations if they process sensitive personal data on a large scale or carry out high risk profiling.
Instructions for drawing up Processing Regulations for federal bodies
The federal body responsible and its Processor (see Art. 6 DPO) shall draw up processing regulations for automated processing operations if they process sensitive personal data; carry out profiling; process personal data in accordance with Article 34 paragraph 2 letter c FADP ; make personal data accessible to cantons, foreign authorities, international organisations or private persons; link data collections with each other; or operate an information system or manage data collections with other federal bodies.
The basis for the processing regulations – in relation to ICT projects in the Federal Administra-tion – is the ISDP concept.
Reporting portals
DataBreach
The FDPIC provides the data controllers with an online form with which they reports can be submitted in a digital and secure manner. After submitting the report, the data controller can download a confirmation with the submitted data.
Data protection officer
Notification of data protection officers (DPO) to the FDPIC pursuant to Art. 10 para. 3 FADP for private persons and Art. 10 para. 4 FADP for federal bodies.
DataReg - Report of processing activities
Federal bodies are obliged to report entries from the register of processing activities to the FDPIC in accordance with Article 12 FADP. Private individuals were exempted from the reporting obligation when the revised Data Protection Act (FADP) came into force on 1 September 2023.