-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. Data Protection Advisor to the Private Controller
- III. Data Protection Advisor to Federal Bodies (Art. 10 para. 4 FADP)
- Bibliography
- Materials
In a nutshell
Art. 10 FADP regulates the appointment and duties of the data protection advisor as well as the conditions for using the exemption under Art. 23 para. 4 FADP. The institution of the data protection advisor enables private companies to regulate themselves. The appointment of a data protection advisor is voluntary for the private controller, however, if appointed, it may benefit from the exemption whereby consultation of the FDPIC may be waived in the case of a data protection impact assessment (DIA) under certain conditions.
I. General
A. Introduction
1 Art. 10 FADP governs the appointment and duties of the data protection advisor as well as the conditions for using the exemption under Art. 23 para. 4 FADP. Art. 23 DPA specifies the requirements for a private controller who appoints a data protection advisor. The institution of the data protection advisor also enables private companies to regulate themselves or to appoint a person to manage data protection within the company.
2 With the introduction of the new provision on the data protection advisor in Art. 10 FADP, the consultation of the FDPIC - which is mandatory under certain conditions - in the context of a DIA is now facilitated. Thus, a data processing project of private data controllers that still presents a "high risk" despite a FADP has been performed no longer has to be submitted to the FDPIC if the data protection advisor has already been consulted (Art. 23 para. 4 FADP). A company that has appointed a data protection advisor may therefore rely solely on internal data protection advice without having to consult the FDPIC in addition.
3 The appointment of a data protection advisor is voluntary for the private controller. Under the previous law, the appointment of a "data protection advisor" (comparable in its design) meant that companies were no longer required to notify the FDPIC of their data collections, which would otherwise be subject to registration. With the revision, the obligation to register for private individuals is generally eliminated.
4 While the appointment of a data protection advisor is voluntary for private data controllers, it is mandatory for federal bodies (Art. 10 para. 4 FADP in conjunction with Art. 25 ff FADP). The Federal Council regulates in Art. 25 DPA the appointment, in Art. 26 DPA the requirements and duties of the data protection advisor of federal bodies. Art. 27 DPA defines the duties of the federal bodies vis-à-vis the data protection advisor, and Art. 28 DPA defines the data protection advisor as the point of contact vis-à-vis the FDPIC.
B. Comparative law
1. Obligation to appoint a data protection officer under DSGVO
5 With the entry into force of the DSGVO, the European Union introduced the obligation to appoint a so-called data protection officer in certain cases. Art. 37 para. 1 DSGVO lists three groups of cases in which a data protection officer must be appointed.
6 First, according to Art. 37 para. 1 lit. a DSGVO, this obligation exists for public authorities and public bodies, with the exception of courts, if they act within the scope of their judicial activities. This includes, for example, building authorities, water and energy suppliers or transport companies.
7 Furthermore, Art. 37 para. 1 DSGVO in lit. b imposes an obligation to designate if the core activity of the controller or processor is to carry out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of individuals. Recital 97 to the DSGVO explains that the core activity of a controller refers to "its main activities and not to the processing of personal data as an ancillary activity." The European Commission's Article 29 Working Party had published guidance on this topic with WP 243 regarding Data Protection Officers ("DPOs"). "Core activities" are thus the main work processes necessary to achieve the controller's or processor's objectives. "Regular" monitoring is when it is ongoing or periodic, and "systematic" when it follows a methodical or organized approach or is part of a broader strategy. Examples include private security companies that monitor private shopping malls and public places, or apps whose core functionality requires the analysis of location data (e.g., sports or navigation apps).
8 Finally, according to Art. 37 para. 1 lit. c DSGVO, there is an obligation to designate a data protection officer in cases where the core activity of the controller or processor consists of extensive processing of special categories of personal data pursuant to Art. 9 DSGVO or of personal data relating to criminal convictions and offences pursuant to Art. 10 DSGVO. Whether a processing operation is extensive within the meaning of this provision must be clarified on a case-by-case basis, for example by taking into account the amount of data processed or the number of data subjects. Examples are the processing of patient data in the ordinary course of business of a hospital or the processing of customer data in the ordinary course of business of an insurance company.
2. Obligation to appoint a data protection officer in accordance with country-specific regulations.
9 Country-specific regulations may provide for more extensive provisions under which a data protection officer must be appointed. For example, the German Federal Data Protection Act (BDSG) provides for an obligation to appoint a data protection officer if at least 20 employees are permanently involved in the automated processing of personal data (Section 38 para. 1 sentence 1 BDSG). In addition, Section 38 para. 1 sentence 2 of the BDSG lists two further scenarios in which companies must appoint a data protection officer regardless of the number of persons involved in the processing: On the one hand, in cases where a DSFA is required pursuant to Art. 35 DSGVO, and on the other hand, in constellations in which they process personal data on a businesslike basis for the purpose of anonymized transmission or for the purpose of market or opinion research.
C. Terminology
10 The former FADP used the term "data protection officer" in German and "responsabile per la protezione dei dati" in Italian, while the French version reads "conseiller à la protection des données," i.e., "data protection advisor" (Art. 11a para. 5 lit. e aDSG). In order to avoid confusion with "responsible person" according to Art. 5 lit. i FADP or with "responsabile", the revision of the FADP introduced the term "data protection advisor" in German or "consulente per la protezione dei dati" in Italian. As a result, the terminology of Art. 10 FADP has been standardized in all three languages.
11 At the same time, it has also been clarified that the responsibility for the processing of personal data in compliance with data protection law does not lie with the data protection advisor, but with the company responsible, the "responsible party".
II. Data Protection Advisor to the Private Controller
A. Appointment of the Data Protection Advisor (Art. 10 para. 1 FADP)
1. Voluntary nature of the appointment of a data protection advisor
12 Art. 10 para. 1 FADP states that the appointment of a data protection advisor is voluntary for private data controllers. According to the FADP, it is thus up to the private controller whether it appoints a data protection advisor. However, a company that has appointed a data protection advisor in accordance with Art. 10 para. 3 FADP may, even if the risk remains high, rely solely on internal data protection advice after carrying out a DIA without having to consult the FDPIC (Art. 23 para. 4 FADP).
13 However, companies that operate internationally must comply with the requirements of the DSGVO and are therefore often required to appoint a data protection officer pursuant to Art. 37 DSGVO.
14 Furthermore, it is in the interest of every company to ensure efficient and effective data protection within its organization in terms of appropriate compliance. It is therefore often advisable to at least appoint a data protection officer internally and to entrust him or her with data protection tasks. This person does not have to fulfill the requirements under Art. 10 para. 3 FADP. However, if he or she does not meet the requirements under Art. 10 para. 3, the company cannot benefit from the facilitations under Art. 24 para. 3 FADP.
15 In the case of the designation of such a person or body, ambiguities regarding their functional designation, status, position and field of activity should be avoided. It should therefore already be clear from the job title within the company and vis-à-vis the FDPIC and the data subjects that it is not a data protection advisor pursuant to Art. 10 para. 3 FADP. It is advisable to choose a different designation for this function, such as data protection unit, data protection contact person, data protection coordinator or privacy officer. The company responsible is free to assign tasks as it sees fit. Nevertheless, the tasks should be clearly defined in a specification.
2. Appointment of an Internal or External Data Protection Advisor
16 The company responsible may designate an internal person or an external person or body as data protection advisor.
17 The internal data protection advisor is an employee or a department of a company who specifically deals with data protection in the respective company. In larger companies, they are regularly supported at a lower hierarchical level by so-called data protection managers or data owners who are responsible for data protection in their respective area, such as for creating and maintaining the list of processing activities (Art. 12 FADP).
18 External data protection consultants, on the other hand, are natural or legal persons who offer the service of data protection (data protection as a service) and act on the basis of a contractual relationship. As a rule, however, even in these cases a contact person must be appointed within the company to serve as a point of contact for both him or her and the employees on data protection issues within the company.
19 The advantage of an internal data privacy advisor is that he or she is integrated into the company itself and thus has a better overview of the internal processes. Furthermore, the advisor can directly check and influence that data privacy is "lived" in the corporate culture and does not exist only on paper. On the other hand, it can be disadvantageous to be too close to the company and its employees, which can lead to conflicts of interest. Often, there is also a lack of resources and the corresponding know-how, or there are conflicts of interest to ensure that data protection is adequately safeguarded within the company. In such situations, it makes sense to outsource the mandate of the data privacy advisor.
3. Appointment of a joint data protection advisor for a group of companies
20 For a group of companies, it is possible to appoint a joint data protection advisor. However, the joint data protection advisor must be easily accessible to the data subjects and the FDPIC as an internal contact person via suitable communication channels. He or she must be able to communicate effectively with data subjects and cooperate effectively with the competent supervisory authorities. However, there is no obligation to be based in Switzerland as long as the data protection advisor is able to perform his or her duties effectively. Nevertheless, knowledge of a national language is likely to be required.
B. Tasks of the data protection advisor (Art. 10 para. 2)
1. Contact point for the FDPIC and other authorities responsible for data protection in Switzerland, as well as for data subjects
21 The data protection advisor is an important point of contact with regard to the data processing activities carried out by the data controller. He or she is involved in the company's data protection compliance processes. A professional contact person can thus be identified directly, which makes it easier for the FDPIC or data subjects to exercise their rights.
22 For questions relating to the processing of personal data in the company, he or she therefore serves as a point of contact for the FDPIC and other authorities responsible for data protection in Switzerland (such as FINMA or the cantonal data protection authorities). He or she also serves as a point of contact for the data subjects, for example in the event of a request for information pursuant to Art. 25ff. FADP.
2. Training and advice for the private controller on data protection issues (para. 2 lit. a)
23 In order to ensure effective data protection in the respective company, the data protection advisor must train, educate and sensitize the private controller or its employees accordingly. At the very least, all employees who come into contact with personal data must be involved. The focus should be on the principles of data protection law (Art. 6 FADP). Other training topics include the requirements for disclosure abroad and the handling of particularly sensitive personal data within the company. In addition, employees must also be trained with regard to data security requirements (Art. 8 FADP).
24 The training of employees in data protection and data security by the data protection advisor should be repeated at regular intervals, preferably annually. Regular awareness-raising ensures that the topic of data privacy remains present in the minds of employees. In addition, current innovations, e.g., with regard to the company's IT landscape, can be passed on to employees in a timely manner.
25 In his or her advisory role, the data privacy advisor has the task of advising on compliance with data privacy regulations in data processing, identifying the relevant facts of the data privacy issue in each case and, on the basis of these facts, identifying alternative decisions.
3. Cooperation in the application of data protection regulations (para. 2 lit. b)
26 A further task of the data protection advisor is his or her involvement in the application of the data protection regulations. This includes, in particular, helping to issue terms of use and data protection regulations. Furthermore, he or she shall review the processing of personal data and recommend corrective measures if a violation of data protection regulations is identified. In addition, she or he shall assist the private controller in the preparation of DSFAs and review their execution. Furthermore, it is important that the data protection advisor is perceived as an interlocutor within the institution and that he or she is a member of the relevant working groups that deal with data processing activities within the company. However, it is not part of the duties of the data protection advisor of the private controller to report data security breaches to the FDPIC or to data subjects. Although it may often make sense to involve the data protection advisor in the case of data security breaches, this is not required by law.
27 The data protection advisor is to be understood as a supporting body, but not as a supervisory body. With regard to the auditing of data processing and the recommendation of corrective measures, it is therefore not a question of introducing an active auditing obligation or prescribing systematic controls of all data processing. Rather, it is sufficient for the data controller to become active if, for example, the data controller requests an audit of data processing or if he or she receives indications that data protection regulations have been violated. Of course, the data controller is free to demand that the data protection advisor proactively check data processing. It is conceivable and common in practice that he or she will conduct a data protection audit once a year.
28 Other tasks of the data protection advisor that may be considered are:
Developing and reviewing the implementation of data security measures (Art. 8 FADP);
Examination of processing by the processor (Art. 9 FADP);
elaboration and audit of the registers of processing activities (Art. 12 FADP);
Examination of the disclosure of data abroad (Art. 16 ff. FADP);
Support in the fulfillment of information obligations (Art. 19 ff. FADP);
Development and implementation of processes for handling requests from data subjects (Art. 25 FADP);
Developing appropriate processes to safeguard data subjects' rights and comply with data protection regulations (Art. 25 ff. FADP);
Conducting risk assessments (e.g., risk of unintentional/unauthorized data disclosure, deletion or processing, data loss or technical error, etc.), for example, as part of a DSFA;
Preparation of annual reports on the activities for the attention of the controller
4. Excursus: No Responsibility of the Data Protection Consultant
29 It is often assumed that the data protection advisor is responsible for data protection and its compliance within the company. However, the data protection advisor has no authority to act beyond his or her training, advisory and participation functions, which are derived from the FADP itself. The sole decision-making authority - and thus also the sole responsibility for the processing of personal data in compliance with data protection law - lies with the company responsible. The data protection advisor should report to the highest management level of the company concerned. The situation would only be different if the data protection advisor were to act as a de facto body and thus have a decisive influence on the decision-making of the controller by deciding on the means and purpose of the processing. However, this would not be permissible due to the professional independence required under Art. 10 para. 3 FADP and the fact that the data protection advisor is not bound by instructions. If a data protection advisor nevertheless decides on the purpose and means of data processing, liability (of a mandatory and/or criminal nature) would be possible.
30 If the data protection advisor makes recommendations, the company should ensure that the recommendations are implemented. If it does not do so and the recommendation was justified, this can - if such an incident becomes public - lead to not inconsiderable damage to the company's image. This may even lead to sanctions being imposed on an individual employee. However, if the recommendation was wrong or incorrect, the data protection advisor is liable within the scope of his or her existing employment or contractual relationship.
C. Requirements for the data protection advisor (para. 3)
31 In order for a company to be released from consulting the FDPIC if a high risk still exists despite the FADP having been performed (Art. 23 para. 4 FADP), the data protection advisor must meet the requirements of Art. 10 para. 3 FADP.
1. Professionally independent and not bound by instructions (lit. a)
32 The data protection advisor must be independent in his or her activities to the extent that the tasks can be performed independently of instructions and cannot be sanctioned by the company on the basis of his or her activities. This means that he or she may not be given any instructions in the performance of his or her duties as to how he or she should proceed in a given situation, e.g., what result should be achieved, how a complaint should be followed up or whether or not the FDPIC should be consulted. Furthermore, he or she must not be instructed to take a particular position on a question of data protection law (for example, with regard to the interpretation of a law).
33 In addition, it must be ensured that the data protection advisor can freely express his or her recommendations - even if they may be disagreeable in part - without fear of disadvantage. This independence also means that the data protection advisor can refer important matters to the highest management (such as the board of directors of a stock corporation) (Art. 23 lit. c FADP). In principle, he or she should therefore also report directly to the management or even the board of directors of the controller.
2. No incompatibility with other duties (lit. b)
34 In order for the data protection advisor to be able to perform his or her duties within the company, he or she must not engage in any other activities that are incompatible with his or her duties. Data privacy consulting should be performed separately from the tasks of the company. A conflict of interest must be avoided. This could be the case, for example, if the data privacy consultant is a member of the management, head of the operating division or head of the IT department, or if he or she performs functions in the area of personnel management or information system management (such as IT manager). The data protection advisor may not at the same time hold a position in which he or she himself or herself decides on the means and purpose of the data processing activities of the data controller or has an interest in such activities. It is also advisable not to mix data protection advice with that of other legal advice and representation.
35 A possible conflict of interest must therefore be avoided in advance by the organizational position of the data protection advisor. As a matter of principle, care should be taken to ensure that no line responsibility is associated with the position of data privacy advisor. It is therefore advisable for a company to establish the function of data privacy advisor as a staff position, for example. It is important that this does not involve an executive function in a business area. Another possibility would be to combine the task of the data privacy advisor with that of the information security officer.
36 Because conflicts of interest are otherwise hardly avoidable in practice, the data protection advisor - except in the case of larger companies with their own data protection departments - is likely to be an external service provider as a rule.
3. Required Expertise (lit. c)
37 In order to be able to perform his or her duties independently, the data protection advisor must have the necessary professional qualifications. She or he must have sufficient knowledge in all areas to be able to assess recommendations and proposed measures and evaluate them within the framework of the company's data protection strategy.
38 The requirements include not only knowledge in the area of data privacy and data security, but also expertise specific to the company. If she or he may have less developed knowledge in certain areas, she or he must at least be able to access such knowledge. Interdisciplinary knowledge, especially in the areas of IT and law, is required. Management systems must be understood.
4. Publication of contact data (lit. d)
39 It is the responsibility of the data controller to publish the contact details of the data protection advisor and to notify the FDPIC. The FDPIC has created a reporting portal for this purpose. As with the private controller, it is not necessary for the company to publish the name of the data protection advisor. It is sufficient, for example, if the e-mail address of the technically responsible office is provided. The responsible office can also be an entire team or a company. The data protection advisor is an important contact person with regard to the data processing carried out by the company in question. The publication of contact details ensures that data subjects or the FDPIC can contact the data protection advisor directly.
40 It is not necessary for the company to publish the name of the data protection advisor. It is sufficient, for example, if the e-mail address of the technically competent office is provided.
D. Obligations of the Private Controller (Art. 23 DPA).
41 In order for a company to be exempted from consulting the FDPIC if there is still a high risk despite the FADP having been performed (Art. 23 para. 4 FADP), the private controller must also fulfill certain obligations. The content of these obligations corresponds to the previous provisions of data protection law; they have only been adapted to the new FADP in terms of terminology.
1. Provision of the necessary resources (lit. a)
42 Pursuant to Art. 23 lit. a DPA, the private controller must provide the data protection advisor with the necessary resources - usually in the form of working time - to enable him or her to perform his or her duties. While the requirements vary depending on the size of the company, she or he must always have sufficient resources to adequately perform the function. This means that the more complex and/or sensitive the data processing operations, the more resources must be made available to the data protection advisor.
2. Granting access to all information, documents, lists of processing activities and personal data (lit. b)
43 In order to be able to perform his or her function, the data protection advisor must be granted access, upon request, to all information, documents, lists of processing activities and personal data that he or she requires to perform his or her duties. In addition to access, this also includes that he or she obtains knowledge of all data processing activities carried out within the company. This requires a comprehensive right to inspect documents, a right to be shown data processing systems and a right to information from all persons responsible for data processing. It would be advisable to introduce a reporting obligation within the company, which means that all data processing must be reported to the data protection advisor.
44 However, access to the information is restricted in that it applies only to those documents which the data protection advisor actually needs to fulfill his or her duties. For example, if the data protection advisor is conducting a general review of internal data protection regulations or data processing processes, he or she will not normally need access to personal data.
3. Granting the right to inform the highest management or administrative body in important cases (lit. c)
45 Art. 23 lit. c DPA introduces the possibility for data protection advisors to inform the highest management or administrative body in important cases, i.e., the body that also bears responsibility for compliance with data protection regulations in the company. This is because the data protection advisor does not have any decision-making power of his or her own, but is subordinate to the highest management level of the company concerned.
46 The provision establishes a right of escalation for the data privacy advisor. This allows the data protection advisor not only to rely on the documents available to him or her during internal audits of compliance with data protection regulations, but also to enforce the procurement of additional information and documents. In addition, this ensures that the data protection advisor can report to the highest bodies of the controller or the commissioned processor in the event of complex circumstances and particularly serious violations and bring about a decision. In practice, information to the highest management or administrative body may also be provided by means of quarterly and annual reports on the activities of the data protection advisor.
III. Data Protection Advisor to Federal Bodies (Art. 10 para. 4 FADP)
A. Appointment (Art. 25 DPA)
47 Federal bodies are required to appoint a data protection advisor in the Schengen area based on Article 32 of Directive (EU) 2016/680. However, the rules governing the appointment of the data protection advisor by the federal bodies are not found in the FADP, but have been left to the Federal Council (Art. 10 para. 4 FADP).
48 According to Art. 25 DPA, several federal bodies may jointly appoint a data protection advisor. This provision is intended primarily to enable smaller federal bodies or departments with a centralized organizational structure to take advantage of sensible and resource-saving synergies. Larger federal agencies, on the other hand, can be expected to appoint a data protection advisor on their own. It is also open to federal bodies to appoint several data protection advisors.
B. Requirements and Tasks (Art. 26 DPA)
49 Art. 26 para. 1 DPA contains the requirements for the data protection advisor: he or she must have the necessary expertise and exercise his or her function vis-à-vis the federal body in a professionally independent manner and subject to instructions. This provision is analogous to the one under Art. 10 para. 3 FADP for private data controllers, which is why reference can be made to it.
50 The role of the data protection advisor in federal bodies, which are usually hierarchical, has been strengthened and institutionalized with the revision so that he or she can perform his or her duties effectively. The independence of the data protection advisor is expressed by the fact that in important cases - as provided for private individuals in Art. 23 lit. c FADP - the data protection advisor can turn to the top management of the federal body. The independence of the data protection advisor must be guaranteed primarily by organizational measures: for example, it is important to prevent the activity as a data protection advisor from having a negative impact on the employee interview.
51 Art. 26 para. 2 DPA contains the tasks of the data protection advisor of a federal body. They have been terminologically aligned with the provision in the case of private data controllers (Art. 10 para. 2 FADP), which is why reference can also be made to the statements made there. He or she participates in the application of the data protection regulations, in particular by examining the processing of personal data and recommending corrective measures (lit. a). If a violation of the data protection regulations is identified, he or she advises the data controller and reviews its implementation (lit. b). Furthermore, he or she trains and advises the employees of the federal body on data protection issues (lit. c). Finally, he or she serves as a point of contact for data subjects (lit. d).
C. Duties of the federal body (Art. 27 FADP)
52 The federal body shall grant the data protection advisor access to all information, documents, lists of processing activities and personal data that he or she requires to perform his or her duties (Art. 27 para. 1 lit. a FADP) and shall ensure that he or she is informed of any breach of data security (Art. 27 para. 1 lit. b FADP).
53 Art. 27 para. 1 lit. a DPA is thus identical to the regulation for private controllers in Art. 23 lit. b DPA. Reference can be made mutatis mutandis to the explanations there. Moreover, this obligation applies to all breaches of data security, not only to those that must be reported to the FDPIC pursuant to Art. 24 FADP. Information on data security breaches pursuant to Art. 27 para. 1 lit. b FADP can be ensured, for example, by the federal body obliging employees by means of instructions to inform the data protection advisor in the event of a data security breach. The data protection advisor advises the data controller on whether the breach is subject to a notification obligation within the meaning of Art. 24 FADP. The federal body shall ensure that he or she is informed of a data breach. However, the notification itself is the responsibility of the federal body. It decides whether and which breaches are reported to the FDPIC.
54 Finally, the federal body publishes the contact details of the data protection advisor on the Internet and communicates them to the FDPIC (Art. 27 para. 2 FADP). As with the private controller, it is not necessary for the company to publish the name of the data protection advisor. It is sufficient if, for example, the e-mail address of the technically competent body is provided. The competent body can also be an entire team or a company.
D. Contact point of the FDPIC (Art. 28 DPA)
55 The data protection advisor serves as the FDPIC's point of contact for questions relating to the processing of personal data by the federal body concerned. Thus, since he or she has the necessary expertise and internal knowledge, he or she is the direct technical contact person for the FDPIC.
Bibliography
Frey Marco, Kommentierung zu Art. 11a DSG (altes DSG), in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023 (zit. SHK DSG-Bearbeiter:in).
Rosenthal David, Das neue Datenschutzgesetz, in: Jusletter 16. November 2020 (zit. Rosenthal, Jusletter 2020).
Rosenthal, David/Jöhri, Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008 (zit. HK-Rosenthal/Jöhri).
Ehrensberger Jennifer/Bersler Urs, Kommentierung zu Art. 11a DSG (altes DSG), In: von Maurer-Lambrou, Urs/Blechta, Gabor-Paul (HrsG.), Datenschutzgesetz/Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014 (zit. BK-Bearbeiter:in).
Materials
Leitlinien in Bezug auf Datenschutzbeauftragte («DSB») der Datenschutzgruppe nach Art. 29 der Richtlinie 95/46/EG, angenommen am 13. Dezember 2016, zuletzt überarbeitet und angenommen am 5.4.2017.