Information security

Information security

On this page you will find important information and instructions relating to IT and information security.

Guide to Technical and Organisational Data Protection Measures (TOM)

This provides an introduction to the risks and solutions associated with data protection in today's information systems. The main themes of data protection are presented from the point of view of possible technical and organisational measures, such as encryption, anonymisation, authentication, etc. The Guide is designed as an aid to implementing appropriate measures to ensure optimal and appropriate protection of personal data, by making the links with current regulations and standards. 

The Guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management.

Technical recommendations for logging in accordance with Article 4 DPO

A private controller and its private processor must log the storage, alteration, reading, disclosure, deletion and destruction of data during the automated processing of personal data. These recommendations are intended to provide a summary of what is involved in this form of logging and what needs to be done to comply with Article 4 DPO in technical terms.

Instructions for drawing up Processing Regulations for Private Persons

The private Controller and its Processor (see Art. 5 DPO) must draw up processing regulations for automated processing operations if they process sensitive personal data on a large scale or carry out high risk profiling.

Instructions for drawing up Processing Regulations for federal bodies

The federal body responsible and its Processor (see Art. 6 DPO) shall draw up processing regulations for automated processing operations if they process sensitive personal data; carry out profiling; process personal data in accordance with Article 34 paragraph 2 letter c FADP ; make personal data accessible to cantons, foreign authorities, international organisations or private persons; link data collections with each other; or operate an information system or manage data collections with other federal bodies.

The basis for the processing regulations – in relation to ICT projects in the Federal Administra-tion – is the ISDP concept. 



Personal data breaches must be reported to the FDPIC when the new Federal Act on Data Protection (FADP) comes into force on September 1st 2023.


Federal bodies have to report their data processing activities to the FDPIC (under the new law: entries from the inventory of processing activities in accordance with Article 12 FADP).

Data protection officer

Notification of data protection officers (DPO) to the FDPIC pursuant to Art. 10 para. 3 FADP for private persons and Art. 10 para. 4 FADP for federal bodies.

Last modification 22.01.2024

Top of page